16341600x80000000000000001Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local2021-06-10 10:05:25.457c:\Program Files\ansible\AttackRangeSysmon.xmlSHA256=0ABB62ECDB67B3213E4229F59E1901BD5CC01F4D4878B42875D481210CAAC5DF 23542300x800000000000000038Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:27.971{928AB1BB-E3E4-60C1-9B02-00000000C301}3860ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000037Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:27.939{928AB1BB-E3E4-60C1-9C02-00000000C301}3580ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000036Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:27.044{928AB1BB-E35F-60C1-1300-00000000C301}9641256C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x800000000000000035Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-CreatePipe2021-06-10 10:05:27.028{928AB1BB-E35F-60C1-1600-00000000C301}1264\PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDERC:\Windows\system32\svchost.exe 10341000x800000000000000034Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:27.013{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:27.013{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:27.013{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:27.013{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:27.013{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:27.013{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:27.013{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:27.013{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:27.013{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:27.013{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:27.013{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:27.013{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:27.013{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:27.013{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:27.013{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:27.013{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:27.013{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:27.013{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000016Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:27.013{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:27.013{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:26.997{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000013Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:26.997{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000012Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:26.997{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000011Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:26.965{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E6-60C1-A702-00000000C301}1244C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000010Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:26.965{928AB1BB-E349-60C1-0500-00000000C301}412500C:\Windows\system32\csrss.exe{928AB1BB-E3E6-60C1-A702-00000000C301}1244C:\Windows\system32\wbem\unsecapp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000009Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:26.965{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E6-60C1-A702-00000000C301}1244C:\Windows\system32\wbem\unsecapp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000008Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:26.966{928AB1BB-E3E6-60C1-A702-00000000C301}1244C:\Windows\System32\wbem\unsecapp.exe10.0.14393.4169 (rs1_release.210107-1130)Sink to receive asynchronous callbacks for WMI client applicationMicrosoft® Windows® Operating SystemMicrosoft Corporationunsecapp.dllC:\Windows\system32\wbem\unsecapp.exe -EmbeddingC:\Windows\system32\NT AUTHORITY\SYSTEM{928AB1BB-E35D-60C1-E703-000000000000}0x3e70SystemMD5=2443CA5962E2134CB389DCD5056D27AE,SHA256=018FF62BCDC292CF9290DB0574C8EF9C97EBC26933C8FC950DD8E6B2B91972FB,IMPHASH=A3CC49DF67C2278F822C9EBB9908BF09{928AB1BB-E35F-60C1-0C00-00000000C301}860C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x80000000000000007Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:26.887{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000006Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:26.871{928AB1BB-E35D-60C1-0A00-00000000C301}624708C:\Windows\system32\services.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000005Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:25.489{928AB1BB-E349-60C1-0500-00000000C301}412428C:\Windows\system32\csrss.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000004Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:25.489{928AB1BB-E35D-60C1-0A00-00000000C301}624292C:\Windows\system32\services.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\services.exe+3332|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000003Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:25.479{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe13.01System activity monitorSysinternals SysmonSysinternals - www.sysinternals.com-C:\Windows\sysmon64.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{928AB1BB-E35D-60C1-E703-000000000000}0x3e70SystemMD5=8A914CFB7496B8461285C009DD8F5627,SHA256=422EC998FED690C2EC3239A4BB80075F098A9A95CBDFFBC873365B9F7136A02A,IMPHASH=DCF866F4139DD7FF6C0A5D4FA050CD7A{928AB1BB-E35D-60C1-0A00-00000000C301}624C:\Windows\System32\services.exeC:\Windows\system32\services.exe 434400x80000000000000002Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local2021-06-10 10:05:26.997Started13.014.50 10341000x8000000000000000103Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:28.898{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E35D-60C1-0B00-00000000C301}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000102Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:28.898{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E35D-60C1-0B00-00000000C301}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:28.898{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E35D-60C1-0A00-00000000C301}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000100Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:28.882{928AB1BB-E35F-60C1-1200-00000000C301}9001104C:\Windows\System32\svchost.exe{928AB1BB-E35F-60C1-1100-00000000C301}404C:\Windows\system32\svchost.exe0x1440C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|c:\windows\system32\ncbservice.dll+2f95|c:\windows\system32\ncbservice.dll+4609|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000099Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:28.882{928AB1BB-E35F-60C1-1200-00000000C301}9001104C:\Windows\System32\svchost.exe{928AB1BB-E35F-60C1-1100-00000000C301}404C:\Windows\system32\svchost.exe0x1440C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|c:\windows\system32\ncbservice.dll+2f95|c:\windows\system32\ncbservice.dll+2e77|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000098Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:28.772{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E35D-60C1-0B00-00000000C301}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000097Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:28.772{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E35D-60C1-0B00-00000000C301}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:28.772{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35D-60C1-0A00-00000000C301}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:28.379{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:28.379{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000093Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:28.379{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000092Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:28.364{928AB1BB-E3E8-60C1-A902-00000000C301}21523000C:\Windows\system32\conhost.exe{928AB1BB-E3E8-60C1-AB02-00000000C301}2144C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000091Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:28.364{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000090Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:28.364{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000089Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:28.364{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000088Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:28.364{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000087Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:28.364{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000086Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:28.364{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000085Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:28.364{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000084Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:28.364{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:28.364{928AB1BB-E349-60C1-0500-00000000C301}412500C:\Windows\system32\csrss.exe{928AB1BB-E3E8-60C1-AB02-00000000C301}2144C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000082Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:28.364{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:28.364{928AB1BB-E3E8-60C1-AA02-00000000C301}31322508C:\Windows\system32\cmd.exe{928AB1BB-E3E8-60C1-AB02-00000000C301}2144C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000080Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:28.363{928AB1BB-E3E8-60C1-AB02-00000000C301}2144C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA=C:\Users\Administrator\ATTACKRANGE\Administrator{928AB1BB-E3E8-60C1-DE17-0D0000000000}0xd17de0HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{928AB1BB-E3E8-60C1-AA02-00000000C301}3132C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA= 10341000x800000000000000079Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:28.348{928AB1BB-E3E8-60C1-A902-00000000C301}21523000C:\Windows\system32\conhost.exe{928AB1BB-E3E8-60C1-AA02-00000000C301}3132C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000078Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:28.348{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000077Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:28.348{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000076Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:28.348{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:28.348{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000074Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:28.348{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000073Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:28.348{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000072Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:28.348{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:28.348{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000070Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:28.348{928AB1BB-E349-60C1-0500-00000000C301}412500C:\Windows\system32\csrss.exe{928AB1BB-E3E8-60C1-AA02-00000000C301}3132C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000069Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:28.348{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:28.348{928AB1BB-E3E8-60C1-A802-00000000C301}31963468C:\Windows\system32\WinrsHost.exe{928AB1BB-E3E8-60C1-AA02-00000000C301}3132C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b 154100x800000000000000067Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:28.352{928AB1BB-E3E8-60C1-AA02-00000000C301}3132C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA=C:\Users\Administrator\ATTACKRANGE\Administrator{928AB1BB-E3E8-60C1-DE17-0D0000000000}0xd17de0HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{928AB1BB-E3E8-60C1-A802-00000000C301}3196C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x800000000000000066Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:28.348{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:28.348{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:28.332{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000063Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:28.316{928AB1BB-E35F-60C1-1300-00000000C301}9642168C:\Windows\system32\svchost.exe{928AB1BB-E3E8-60C1-A802-00000000C301}3196C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x800000000000000062Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:28.301{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E8-60C1-A802-00000000C301}3196C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:28.285{928AB1BB-E3E8-60C1-A902-00000000C301}21523000C:\Windows\system32\conhost.exe{928AB1BB-E3E8-60C1-A802-00000000C301}3196C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:28.222{928AB1BB-E349-60C1-0500-00000000C301}412500C:\Windows\system32\csrss.exe{928AB1BB-E3E8-60C1-A902-00000000C301}2152C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:28.222{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:28.222{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:28.222{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:28.222{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:28.222{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:28.222{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000053Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:28.222{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000052Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:28.222{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:28.222{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:28.222{928AB1BB-E349-60C1-0500-00000000C301}412428C:\Windows\system32\csrss.exe{928AB1BB-E3E8-60C1-A802-00000000C301}3196C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000049Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:28.222{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E8-60C1-A802-00000000C301}3196C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000048Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:28.225{928AB1BB-E3E8-60C1-A802-00000000C301}3196C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{928AB1BB-E3E8-60C1-DE17-0D0000000000}0xd17de0HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{928AB1BB-E35F-60C1-0C00-00000000C301}860C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x800000000000000047Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:28.222{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000046Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:28.222{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000045Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:28.207{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000044Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:28.018{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000043Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:28.018{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000042Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:28.018{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000041Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:28.002{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000040Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:28.002{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000039Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:28.002{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x8000000000000000149Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-CreatePipe2021-06-10 10:05:29.857{928AB1BB-E3E8-60C1-AB02-00000000C301}2144\PSHost.132677931283631461.2144.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000148Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:29.857{928AB1BB-E3E8-60C1-AB02-00000000C301}2144ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_cni3hkzg.t4n.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000147Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:29.841{928AB1BB-E3E8-60C1-AB02-00000000C301}2144ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_lwrn0cfm.stj.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000146Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:29.684{928AB1BB-E35D-60C1-0A00-00000000C301}624708C:\Windows\system32\services.exe{928AB1BB-E3E9-60C1-AE02-00000000C301}2892C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000145Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:29.684{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E9-60C1-AE02-00000000C301}2892C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000144Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:29.621{928AB1BB-E349-60C1-0500-00000000C301}412532C:\Windows\system32\csrss.exe{928AB1BB-E3E9-60C1-AE02-00000000C301}2892C:\Windows\system32\sppsvc.exe0x103800C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000143Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:29.621{928AB1BB-E35D-60C1-0A00-00000000C301}624292C:\Windows\system32\services.exe{928AB1BB-E3E9-60C1-AE02-00000000C301}2892C:\Windows\system32\sppsvc.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+1643d|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x8000000000000000142Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:29.559{928AB1BB-E3E8-60C1-AB02-00000000C301}2144C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_lwrn0cfm.stj.ps12021-06-10 10:05:29.559 10341000x8000000000000000141Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:29.559{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E35D-60C1-0B00-00000000C301}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000140Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:29.559{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E35D-60C1-0B00-00000000C301}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000139Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:29.559{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35D-60C1-0A00-00000000C301}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000138Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:29.543{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E8-60C1-AB02-00000000C301}2144C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000137Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:29.543{928AB1BB-E3CF-60C1-2002-00000000C301}3352NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=718E5DB12E91B647115F2A0669A90B22,SHA256=7A154012B6F4FA68322B4FD50B10566BDF2D17B89122D46A42B03BE1E0915DAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000136Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:29.543{928AB1BB-E3CF-60C1-2002-00000000C301}3352NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=6FC152CF389EAACC180F4F8EE4C67BC7,SHA256=AC690D9421D6F5D98114C04BC4946F1B33CEF2E7403DE9F35D3EFD79D16F7DA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:29.543{928AB1BB-E3CF-60C1-2002-00000000C301}3352NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=C7B1E3FD50683437171B0A59A40BDF9A,SHA256=4AC5A2E6835D282F0011AE2EE7ABF4B146D23B9F6F803BFE0F75F790A1942C59,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000134Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:29.386{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E3E9-60C1-AD02-00000000C301}2244C:\Windows\System32\msdtc.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000133Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:29.386{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E3E9-60C1-AD02-00000000C301}2244C:\Windows\System32\msdtc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000132Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:27.094{928AB1BB-E36F-60C1-1F00-00000000C301}2448C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-365.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-365.attackrange.local52444- 354300x8000000000000000131Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:27.094{928AB1BB-E36F-60C1-1F00-00000000C301}2448C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-365.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-365.attackrange.local65100- 354300x8000000000000000130Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:27.094{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-365.attackrange.local65100-true0:0:0:0:0:0:0:1win-dc-365.attackrange.local53domain 10341000x8000000000000000129Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:29.290{928AB1BB-E35D-60C1-0A00-00000000C301}624708C:\Windows\system32\services.exe{928AB1BB-E3E9-60C1-AD02-00000000C301}2244C:\Windows\System32\msdtc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000128Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:29.165{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000127Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:29.165{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000126Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:29.165{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000125Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:29.165{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000124Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:29.165{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000123Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:29.165{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000122Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:29.165{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000121Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:29.165{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000120Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:29.165{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000119Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:29.165{928AB1BB-E349-60C1-0500-00000000C301}412428C:\Windows\system32\csrss.exe{928AB1BB-E3E9-60C1-AD02-00000000C301}2244C:\Windows\System32\msdtc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000118Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:29.165{928AB1BB-E35D-60C1-0A00-00000000C301}624292C:\Windows\system32\services.exe{928AB1BB-E3E9-60C1-AD02-00000000C301}2244C:\Windows\System32\msdtc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+1643d|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000117Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:29.169{928AB1BB-E3E9-60C1-AD02-00000000C301}2244C:\Windows\System32\msdtc.exe2001.12.10941.16384 (rs1_release.160715-1616)Microsoft Distributed Transaction Coordinator ServiceMicrosoft® Windows® Operating SystemMicrosoft CorporationMSDTC.EXEC:\Windows\System32\msdtc.exeC:\Windows\system32\NT AUTHORITY\NETWORK SERVICE{928AB1BB-E35F-60C1-E403-000000000000}0x3e40SystemMD5=308F08347923DEEDE7BC03EC7D485841,SHA256=72DB45CA11FE635DF9F8273C38CBEFB8DF5362ADA0CBF6D2B1E570365DC700C0,IMPHASH=D02F3DF332409C5D3F34BA2D38FC4ED4{928AB1BB-E35D-60C1-0A00-00000000C301}624C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x8000000000000000116Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:29.165{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E35D-60C1-0B00-00000000C301}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000115Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:29.165{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E35D-60C1-0B00-00000000C301}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000114Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:29.165{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E35D-60C1-0A00-00000000C301}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 22542200x8000000000000000113Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:27.108{928AB1BB-E35D-60C1-0B00-00000000C301}632_kerberos._tcp.dc._msdcs.attackrange.local.0type: 33 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x8000000000000000112Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:27.108{928AB1BB-E35D-60C1-0B00-00000000C301}632_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.attackrange.local.0type: 33 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x8000000000000000111Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:27.107{928AB1BB-E35D-60C1-0B00-00000000C301}632win-dc-365010.0.1.14;C:\Windows\System32\lsass.exe 10341000x8000000000000000110Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:29.023{928AB1BB-E35D-60C1-0A00-00000000C301}624708C:\Windows\system32\services.exe{928AB1BB-E3E9-60C1-AC02-00000000C301}3672C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000109Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:29.023{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E9-60C1-AC02-00000000C301}3672C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000108Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:29.023{928AB1BB-E349-60C1-0500-00000000C301}412500C:\Windows\system32\csrss.exe{928AB1BB-E3E9-60C1-AC02-00000000C301}3672C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000107Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:29.023{928AB1BB-E35D-60C1-0A00-00000000C301}624292C:\Windows\system32\services.exe{928AB1BB-E3E9-60C1-AC02-00000000C301}3672C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+1643d|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000106Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:29.023{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E35D-60C1-0B00-00000000C301}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000105Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:29.023{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E35D-60C1-0B00-00000000C301}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:29.023{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E35D-60C1-0A00-00000000C301}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000199Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:30.990{928AB1BB-E3CF-60C1-2002-00000000C301}3352NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=7E86BEB4FF9C62EEF549AD51371D6F19,SHA256=B870C66C1118B34C03A33A6DD36B385119B36ED7D6F378E0B057C7D302F0CF7A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000198Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:30.535{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000197Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:30.535{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000196Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:30.535{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000195Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:30.535{928AB1BB-E3E8-60C1-A902-00000000C301}21523000C:\Windows\system32\conhost.exe{928AB1BB-E3EA-60C1-B002-00000000C301}3512C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000194Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:30.535{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000193Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:30.535{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000192Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:30.535{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000191Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:30.535{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000190Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:30.535{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000189Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:30.535{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000188Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:30.535{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000187Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:30.535{928AB1BB-E349-60C1-0500-00000000C301}412428C:\Windows\system32\csrss.exe{928AB1BB-E3EA-60C1-B002-00000000C301}3512C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000186Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:30.535{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000185Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:30.535{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000184Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:30.535{928AB1BB-E3EA-60C1-AF02-00000000C301}31122316C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{928AB1BB-E3EA-60C1-B002-00000000C301}3512C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4508183(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c397b47c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c397b0b7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4453545(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c3938029(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c399ba9b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c397daaa(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c397daaa(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c397d93b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c396e65b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c397bb9d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c397b76a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c397b47c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c397b0b7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4453545(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c3960362(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c395f8d4(wow64) 154100x8000000000000000183Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:30.541{928AB1BB-E3EA-60C1-B002-00000000C301}3512C:\Windows\System32\chcp.com10.0.14393.0 (rs1_release.160715-1616)Change CodePage UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationCHCP.COM"C:\Windows\system32\chcp.com" 65001C:\Users\Administrator\ATTACKRANGE\Administrator{928AB1BB-E3E8-60C1-DE17-0D0000000000}0xd17de0HighMD5=BA6FD5B883C0899785D17CEBE66A25F6,SHA256=9FDBDF88CF2BB2794C416E3083553F2898AC9DC92DFAC2478B4C1DF667DF7C74,IMPHASH=4FB30D6E330F3FB3DB61550BD7FA7CCD{928AB1BB-E3EA-60C1-AF02-00000000C301}3112C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 10341000x8000000000000000182Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:30.488{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E3EA-60C1-AF02-00000000C301}3112C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000181Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:30.488{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E3EA-60C1-AF02-00000000C301}3112C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x8000000000000000180Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-CreatePipe2021-06-10 10:05:30.472{928AB1BB-E3EA-60C1-AF02-00000000C301}3112\PSHost.132677931304106382.3112.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000179Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:30.456{928AB1BB-E3EA-60C1-AF02-00000000C301}3112ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_i5e4bmep.zkh.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000178Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:30.456{928AB1BB-E3EA-60C1-AF02-00000000C301}3112ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_haxn0h2g.opa.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000177Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:30.440{928AB1BB-E3EA-60C1-AF02-00000000C301}3112C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_haxn0h2g.opa.ps12021-06-10 10:05:30.440 10341000x8000000000000000176Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:30.440{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3EA-60C1-AF02-00000000C301}3112C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000175Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:30.409{928AB1BB-E3E8-60C1-A902-00000000C301}21523000C:\Windows\system32\conhost.exe{928AB1BB-E3EA-60C1-AF02-00000000C301}3112C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000174Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:30.409{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000173Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:30.409{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000172Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:30.409{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000171Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:30.409{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000170Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:30.409{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000169Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:30.409{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000168Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:30.409{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000167Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:30.409{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000166Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:30.409{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000165Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:30.409{928AB1BB-E349-60C1-0500-00000000C301}412532C:\Windows\system32\csrss.exe{928AB1BB-E3EA-60C1-AF02-00000000C301}3112C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000164Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:30.409{928AB1BB-E3E8-60C1-AB02-00000000C301}2144508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{928AB1BB-E3EA-60C1-AF02-00000000C301}3112C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4508187(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c397b480(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c397b0bb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4453549(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c393802d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c399ba9f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c397daae(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c397daae(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c397d93f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c396e65f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c397bba1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c397b76e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c397b480(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c397b0bb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4453549(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c3960366(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c395f8d8(wow64) 154100x8000000000000000163Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:30.410{928AB1BB-E3EA-60C1-AF02-00000000C301}3112C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA==C:\Users\Administrator\ATTACKRANGE\Administrator{928AB1BB-E3E8-60C1-DE17-0D0000000000}0xd17de0HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{928AB1BB-E3E8-60C1-AB02-00000000C301}2144C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA= 10341000x8000000000000000162Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:30.344{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E3E8-60C1-AB02-00000000C301}2144C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:30.344{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E3E8-60C1-AB02-00000000C301}2144C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000160Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:30.281{928AB1BB-E3CF-60C1-2002-00000000C301}3352NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=4B5BA821923A2AC83691517355B6EF5D,SHA256=7BE256372F588D3D039230C87129EB4D6F598E7185887E11CE5C3F8E8BDD7731,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000159Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:30.281{928AB1BB-E3CF-60C1-2002-00000000C301}3352NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=718E5DB12E91B647115F2A0669A90B22,SHA256=7A154012B6F4FA68322B4FD50B10566BDF2D17B89122D46A42B03BE1E0915DAF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000158Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:30.046{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E371-60C1-2C00-00000000C301}3152C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000157Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:30.046{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E371-60C1-2C00-00000000C301}3152C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000156Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:30.046{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E371-60C1-2C00-00000000C301}3152C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000155Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:30.014{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E371-60C1-2C00-00000000C301}3152C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000154Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:30.014{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E371-60C1-2C00-00000000C301}3152C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000153Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:30.014{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E371-60C1-2C00-00000000C301}3152C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000152Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:29.998{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E371-60C1-2C00-00000000C301}3152C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:29.998{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E371-60C1-2C00-00000000C301}3152C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000150Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:29.998{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E371-60C1-2C00-00000000C301}3152C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000252Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:31.857{928AB1BB-E3E9-60C1-AE02-00000000C301}2892NT AUTHORITY\NETWORK SERVICEC:\Windows\system32\sppsvc.exeC:\Windows\System32\spp\store\2.0\cache\cache.datMD5=AECD21198DFB85E7F317E8A5B775EB02,SHA256=1D2D1CD3092316FF8FC733677E8FF56849DC0C0C881B7FD41007337474FE456E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000251Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:31.700{928AB1BB-E3EA-60C1-AF02-00000000C301}3112ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\ulbxo13a.0.csMD5=054C0A1487614BA970CB949FA443FFFB,SHA256=6B88C7F565FF6B5879B03F6F3622B596B63D0C76E3EC5751390A446AF187E21D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000250Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:31.700{928AB1BB-E3EA-60C1-AF02-00000000C301}3112ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\ulbxo13a.dllMD5=586FE1B17482E6E09DB7124354BD524D,SHA256=E45CEBD2A30E519659CC8E28CF814FD9271B1478802CCDE5F80E10FEC7F42BA0,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x8000000000000000249Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:31.700{928AB1BB-E3EA-60C1-AF02-00000000C301}3112ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\ulbxo13a.outMD5=1CF1493FFBB416C360EF5BFF482D837C,SHA256=77A69079346B8BD3424CAE15B62D8A7324EE6817230D8C3FC53A3D1EDCB069C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000248Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:31.700{928AB1BB-E3EA-60C1-AF02-00000000C301}3112ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\ulbxo13a.cmdlineMD5=42D9B948F0D2E34A0813A09A7808E88D,SHA256=95C236A519820FD54A2C9A765B52A76B17ED67A4C86F0679DE08FCF10E40D8A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000247Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:31.700{928AB1BB-E3EA-60C1-AF02-00000000C301}3112ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\ulbxo13a.pdbMD5=82D63AC52EB934987CE9E850E115B9EB,SHA256=88952898E762F9F4D2D062BBAC1D1BD51C7D5B36E99193BB4153E99C3D3DF5E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:31.685{928AB1BB-E3EB-60C1-B102-00000000C301}3704ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\CSC478F4F72D6394B08836D7B908B1E6CA.TMPMD5=022E512EF832F14AAA150BD4791B462B,SHA256=25406506EDC0BFCDF578953F334E082E7147CF189B4076820D60A81C7FB9C144,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000245Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.localDLL2021-06-10 10:05:31.685{928AB1BB-E3EB-60C1-B102-00000000C301}3704C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\ulbxo13a.dll2021-06-10 10:05:31.528 23542300x8000000000000000244Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:31.685{928AB1BB-E3EB-60C1-B102-00000000C301}3704ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\ulbxo13a.dllMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000243Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:31.685{928AB1BB-E3EB-60C1-B102-00000000C301}3704ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\ADMINI~1\AppData\Local\Temp\RES7F48.tmpMD5=4E7EDEAEE1C9700F27F9EFEB65AA4FF3,SHA256=B427A57A1576B8567855D22BE1B6C388616BCB1BDBBD1599700EB2941568DBED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000242Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:31.685{928AB1BB-E3EB-60C1-B202-00000000C301}2668ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Users\ADMINI~1\AppData\Local\Temp\RES7F48.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000241Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:31.685{928AB1BB-E3E8-60C1-A902-00000000C301}21523000C:\Windows\system32\conhost.exe{928AB1BB-E3EB-60C1-B202-00000000C301}2668C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000240Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:31.669{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000239Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:31.669{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000238Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:31.669{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000237Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:31.669{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000236Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:31.669{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000235Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:31.669{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000234Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:31.669{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000233Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:31.669{928AB1BB-E349-60C1-0500-00000000C301}412500C:\Windows\system32\csrss.exe{928AB1BB-E3EB-60C1-B202-00000000C301}2668C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000232Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:31.669{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000231Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:31.669{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000230Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:31.669{928AB1BB-E3EB-60C1-B102-00000000C301}37042116C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{928AB1BB-E3EB-60C1-B202-00000000C301}2668C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b46d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3db4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3f2c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+4002|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27b2|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+2804|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+2948|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7fe06|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+4726f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45e1f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45b16|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45826|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1938a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18bf6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+a831|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1f0a49|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000229Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:31.680{928AB1BB-E3EB-60C1-B202-00000000C301}2668C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RES7F48.tmp" "c:\Users\Administrator\AppData\Local\Temp\CSC478F4F72D6394B08836D7B908B1E6CA.TMP"C:\Users\Administrator\ATTACKRANGE\Administrator{928AB1BB-E3E8-60C1-DE17-0D0000000000}0xd17de0HighMD5=C877CBB966EA5939AA2A17B6A5160950,SHA256=1FE531EAC592B480AA4BD16052B909C3431434F17E7AE163D248355558CE43A6,IMPHASH=55D76ADE7FFEA0F41FF2B55505C2B362{928AB1BB-E3EB-60C1-B102-00000000C301}3704C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\ulbxo13a.cmdline" 10341000x8000000000000000228Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:31.575{928AB1BB-E3E8-60C1-A902-00000000C301}21523000C:\Windows\system32\conhost.exe{928AB1BB-E3EB-60C1-B102-00000000C301}3704C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000227Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:31.575{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000226Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:31.575{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000225Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:31.575{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000224Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:31.575{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000223Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:31.575{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000222Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:31.575{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000221Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:31.575{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000220Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:31.559{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000219Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:31.559{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000218Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:31.559{928AB1BB-E349-60C1-0500-00000000C301}412500C:\Windows\system32\csrss.exe{928AB1BB-E3EB-60C1-B102-00000000C301}3704C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000217Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:31.559{928AB1BB-E3EA-60C1-AF02-00000000C301}31122316C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{928AB1BB-E3EB-60C1-B102-00000000C301}3704C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2be405|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2be05f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2bdb80|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2bdb08|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2bc1c3|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+7d8ed2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+7d894a|UNKNOWN(00007FFE6D60BB0F) 154100x8000000000000000216Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:31.545{928AB1BB-E3EB-60C1-B102-00000000C301}3704C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.8.3761.0 built by: NET48REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\ulbxo13a.cmdline"C:\Users\Administrator\ATTACKRANGE\Administrator{928AB1BB-E3E8-60C1-DE17-0D0000000000}0xd17de0HighMD5=23EE3D381CFE3B9F6229483E2CE2F9E1,SHA256=4240A12E0B246C9D69AF1F697488FE7DA1B497DF20F4A6F95135B4D5FE180A57,IMPHASH=EE1E569AD02AA1F7AECA80AC0601D80D{928AB1BB-E3EA-60C1-AF02-00000000C301}3112C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 11241100x8000000000000000215Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:31.528{928AB1BB-E3EA-60C1-AF02-00000000C301}3112C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\ulbxo13a.cmdline2021-06-10 10:05:31.528 11241100x8000000000000000214Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.localDLL2021-06-10 10:05:31.528{928AB1BB-E3EA-60C1-AF02-00000000C301}3112C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\ulbxo13a.dll2021-06-10 10:05:31.528 10341000x8000000000000000213Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:31.351{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000212Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:31.351{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000211Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:31.351{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000210Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:31.320{928AB1BB-E35F-60C1-1200-00000000C301}900NT AUTHORITY\SYSTEMC:\Windows\System32\svchost.exeC:\Windows\System32\LogFiles\WMI\SUM.etlMD5=CB9183941EECF1CF21CEA85C26DA42DE,SHA256=A7CA66A4173203D040274A9F410B98FB2396679ED11036EE3983EDF7C80AEB31,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000209Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:31.179{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E371-60C1-2C00-00000000C301}3152C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000208Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:31.179{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E371-60C1-2C00-00000000C301}3152C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000207Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:31.179{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E371-60C1-2C00-00000000C301}3152C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000206Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:31.179{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E371-60C1-2C00-00000000C301}3152C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000205Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:31.179{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E371-60C1-2C00-00000000C301}3152C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000204Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:31.179{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E371-60C1-2C00-00000000C301}3152C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000203Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:28.135{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse46.128.24.7946.128.24.79.dynamic.cablesurf.de52667-false10.0.1.14win-dc-365.attackrange.local5986- 10341000x8000000000000000202Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:31.163{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E371-60C1-2C00-00000000C301}3152C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000201Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:31.163{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E371-60C1-2C00-00000000C301}3152C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000200Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:31.163{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E371-60C1-2C00-00000000C301}3152C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000354Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:32.627{928AB1BB-E3EC-60C1-B402-00000000C301}41724192C:\Windows\system32\conhost.exe{928AB1BB-E3EC-60C1-B802-00000000C301}4464C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000353Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:32.627{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000352Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:32.627{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000351Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:32.627{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000350Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:32.627{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000349Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:32.627{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000348Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:32.627{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000347Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:32.627{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000346Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:32.627{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000345Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:32.627{928AB1BB-E349-60C1-0500-00000000C301}412428C:\Windows\system32\csrss.exe{928AB1BB-E3EC-60C1-B802-00000000C301}4464C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000344Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:32.627{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000343Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:32.627{928AB1BB-E3EC-60C1-B702-00000000C301}43604460C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{928AB1BB-E3EC-60C1-B802-00000000C301}4464C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4458184(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c38cb47d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c38cb0b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c43a3546(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c388802a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c38eba9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c38cdaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c38cdaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c38cd93c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c38be65c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c38cbb9e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c38cb76b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c38cb47d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c38cb0b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c43a3546(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c38b0363(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c38af8d5(wow64) 154100x8000000000000000342Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:32.637{928AB1BB-E3EC-60C1-B802-00000000C301}4464C:\Windows\System32\chcp.com10.0.14393.0 (rs1_release.160715-1616)Change CodePage UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationCHCP.COM"C:\Windows\system32\chcp.com" 65001C:\Users\Administrator\ATTACKRANGE\Administrator{928AB1BB-E3EC-60C1-35E9-0D0000000000}0xde9350HighMD5=BA6FD5B883C0899785D17CEBE66A25F6,SHA256=9FDBDF88CF2BB2794C416E3083553F2898AC9DC92DFAC2478B4C1DF667DF7C74,IMPHASH=4FB30D6E330F3FB3DB61550BD7FA7CCD{928AB1BB-E3EC-60C1-B702-00000000C301}4360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 10341000x8000000000000000341Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:32.580{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E3EC-60C1-B702-00000000C301}4360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000340Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:32.580{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E3EC-60C1-B702-00000000C301}4360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x8000000000000000339Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-CreatePipe2021-06-10 10:05:32.564{928AB1BB-E3EC-60C1-B702-00000000C301}4360\PSHost.132677931325140831.4360.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000338Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:32.549{928AB1BB-E3EC-60C1-B702-00000000C301}4360ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_v2zclwdq.ta2.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000337Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:32.549{928AB1BB-E3EC-60C1-B702-00000000C301}4360ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_0scj0azo.0sx.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000336Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:32.549{928AB1BB-E3EC-60C1-B702-00000000C301}4360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_0scj0azo.0sx.ps12021-06-10 10:05:32.549 10341000x8000000000000000335Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:32.533{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3EC-60C1-B702-00000000C301}4360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000334Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:32.517{928AB1BB-E3CF-60C1-2002-00000000C301}3352NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=2DD16E50FEEAE78E1151B200C9132154,SHA256=C725C05BA6BC759221063524EC3CCE37217C953148BA76467D90EF8983C724D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000333Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:32.517{928AB1BB-E3CF-60C1-2002-00000000C301}3352NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=EBA08C05AF89C099E70BC7D09294400E,SHA256=7C35A4C418418A49C603EBBADD43CA0B855BFDAF417A31C05BFB2430E24F6B73,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000332Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:32.502{928AB1BB-E3EC-60C1-B402-00000000C301}41724192C:\Windows\system32\conhost.exe{928AB1BB-E3EC-60C1-B702-00000000C301}4360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000331Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:32.502{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000330Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:32.502{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000329Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:32.502{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000328Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:32.502{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000327Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:32.502{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000326Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:32.502{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000325Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:32.502{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000324Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:32.502{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000323Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:32.502{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000322Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:32.502{928AB1BB-E349-60C1-0500-00000000C301}412500C:\Windows\system32\csrss.exe{928AB1BB-E3EC-60C1-B702-00000000C301}4360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000321Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:32.502{928AB1BB-E3EC-60C1-B602-00000000C301}42564356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{928AB1BB-E3EC-60C1-B702-00000000C301}4360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+d95a5189|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+d8a18482|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+d8a180bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+d94f054b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+d89d502f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+d8a38aa1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+d8a1aab0|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+d8a1aab0|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+d8a1a941|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+d8a0b661|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+d8a18ba3|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+d8a18770|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+d8a18482|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+d8a180bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+d94f054b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+d89fd368|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+d89fc8da 154100x8000000000000000320Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:32.514{928AB1BB-E3EC-60C1-B702-00000000C301}4360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA==C:\Users\Administrator\ATTACKRANGE\Administrator{928AB1BB-E3EC-60C1-35E9-0D0000000000}0xde9350HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{928AB1BB-E3EC-60C1-B602-00000000C301}4256C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA= 10341000x8000000000000000319Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:32.470{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E3EC-60C1-B602-00000000C301}4256C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000318Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:32.470{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E3EC-60C1-B602-00000000C301}4256C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x8000000000000000317Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-CreatePipe2021-06-10 10:05:32.439{928AB1BB-E3EC-60C1-B602-00000000C301}4256\PSHost.132677931323938068.4256.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000316Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:32.439{928AB1BB-E3EC-60C1-B602-00000000C301}4256ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_zhckxome.mno.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000315Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:32.439{928AB1BB-E3EC-60C1-B602-00000000C301}4256ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_5yo4cdno.dpj.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000314Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:32.423{928AB1BB-E3EC-60C1-B602-00000000C301}4256C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_5yo4cdno.dpj.ps12021-06-10 10:05:32.423 10341000x8000000000000000313Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:32.407{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3EC-60C1-B602-00000000C301}4256C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000312Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:32.407{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000311Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:32.407{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000310Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:32.407{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000309Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:32.391{928AB1BB-E3EC-60C1-B402-00000000C301}41724192C:\Windows\system32\conhost.exe{928AB1BB-E3EC-60C1-B602-00000000C301}4256C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000308Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:32.391{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000307Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:32.391{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000306Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:32.391{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000305Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:32.391{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:32.391{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:32.391{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:32.391{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:32.391{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:32.391{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:32.391{928AB1BB-E349-60C1-0500-00000000C301}412500C:\Windows\system32\csrss.exe{928AB1BB-E3EC-60C1-B602-00000000C301}4256C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000298Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:32.391{928AB1BB-E3EC-60C1-B502-00000000C301}42444248C:\Windows\system32\cmd.exe{928AB1BB-E3EC-60C1-B602-00000000C301}4256C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000297Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:32.393{928AB1BB-E3EC-60C1-B602-00000000C301}4256C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA=C:\Users\Administrator\ATTACKRANGE\Administrator{928AB1BB-E3EC-60C1-35E9-0D0000000000}0xde9350HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{928AB1BB-E3EC-60C1-B502-00000000C301}4244C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA= 10341000x8000000000000000296Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:32.376{928AB1BB-E3EC-60C1-B402-00000000C301}41724192C:\Windows\system32\conhost.exe{928AB1BB-E3EC-60C1-B502-00000000C301}4244C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000295Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:32.376{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000294Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:32.376{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000293Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:32.376{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:32.376{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:32.376{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000290Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:32.376{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000289Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:32.376{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000288Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:32.376{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000287Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:32.376{928AB1BB-E349-60C1-0500-00000000C301}412500C:\Windows\system32\csrss.exe{928AB1BB-E3EC-60C1-B502-00000000C301}4244C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000286Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:32.376{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000285Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:32.376{928AB1BB-E3EC-60C1-B302-00000000C301}41604216C:\Windows\system32\WinrsHost.exe{928AB1BB-E3EC-60C1-B502-00000000C301}4244C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b 154100x8000000000000000284Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:32.388{928AB1BB-E3EC-60C1-B502-00000000C301}4244C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA=C:\Users\Administrator\ATTACKRANGE\Administrator{928AB1BB-E3EC-60C1-35E9-0D0000000000}0xde9350HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{928AB1BB-E3EC-60C1-B302-00000000C301}4160C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x8000000000000000283Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:32.376{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000282Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:32.376{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000281Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:32.376{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000280Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:32.360{928AB1BB-E35F-60C1-1300-00000000C301}9641256C:\Windows\system32\svchost.exe{928AB1BB-E3EC-60C1-B302-00000000C301}4160C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x8000000000000000279Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:32.344{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3EC-60C1-B302-00000000C301}4160C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000278Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:32.329{928AB1BB-E3EC-60C1-B402-00000000C301}41724192C:\Windows\system32\conhost.exe{928AB1BB-E3EC-60C1-B302-00000000C301}4160C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000277Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:32.329{928AB1BB-E349-60C1-0500-00000000C301}412532C:\Windows\system32\csrss.exe{928AB1BB-E3EC-60C1-B402-00000000C301}4172C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000276Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:32.329{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000275Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:32.329{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:32.329{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000273Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:32.329{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:32.329{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:32.329{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000270Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:32.329{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000269Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:32.329{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000268Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:32.329{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000267Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:32.329{928AB1BB-E349-60C1-0500-00000000C301}412428C:\Windows\system32\csrss.exe{928AB1BB-E3EC-60C1-B302-00000000C301}4160C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000266Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:32.329{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3EC-60C1-B302-00000000C301}4160C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000265Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:32.333{928AB1BB-E3EC-60C1-B302-00000000C301}4160C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{928AB1BB-E3EC-60C1-35E9-0D0000000000}0xde9350HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{928AB1BB-E35F-60C1-0C00-00000000C301}860C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x8000000000000000264Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:32.329{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000263Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:32.329{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000262Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:32.329{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000261Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:32.124{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:32.124{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:32.124{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:32.093{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000257Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:32.093{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000256Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:32.093{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000255Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:32.062{928AB1BB-E3E9-60C1-AE02-00000000C301}2892NT AUTHORITY\NETWORK SERVICEC:\Windows\system32\sppsvc.exeC:\Windows\System32\spp\store\2.0\tokens.dat.bakMD5=4C8A36F4ACD719F70E2DDEADE2ED2463,SHA256=E656639456DC39E26D8D6F4A0AB2F3DEB5A7B56057792F0B9D9BD63D550A6544,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000254Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:32.062{928AB1BB-E3E8-60C1-AB02-00000000C301}2144ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000253Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:32.030{928AB1BB-E3EA-60C1-AF02-00000000C301}3112ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000409Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:33.915{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000408Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:33.915{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000407Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:33.915{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000406Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:33.899{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000405Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:33.899{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000404Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:33.899{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000403Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:33.852{928AB1BB-E3EC-60C1-B602-00000000C301}4256ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000402Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:33.821{928AB1BB-E3EC-60C1-B702-00000000C301}4360ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000401Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-SetValue2021-06-10 10:05:33.789{928AB1BB-E3EC-60C1-B702-00000000C301}4360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Sysmon/Operational\MaxSizeDWORD (0x12d2c000) 10341000x8000000000000000400Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:33.679{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:33.679{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:33.679{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000397Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:33.538{928AB1BB-E3EC-60C1-B702-00000000C301}4360ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\a3tcqlpr.0.csMD5=054C0A1487614BA970CB949FA443FFFB,SHA256=6B88C7F565FF6B5879B03F6F3622B596B63D0C76E3EC5751390A446AF187E21D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:33.538{928AB1BB-E3EC-60C1-B702-00000000C301}4360ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\a3tcqlpr.cmdlineMD5=B7A1DAFD611CE1E094EA8EB27F8187FE,SHA256=C83AC33E2F7758F940038CB006D5014404A055DAEA474C2507B699629EBB9ECB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:33.538{928AB1BB-E3EC-60C1-B702-00000000C301}4360ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\a3tcqlpr.pdbMD5=D063C9708C2533FC729587588D73A1AC,SHA256=432BEF4A340FD961B5391F58620C83ADE56E6D5DCDDA5FCE296112F6B047ADED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:33.538{928AB1BB-E3EC-60C1-B702-00000000C301}4360ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\a3tcqlpr.dllMD5=D5CC80CDE410C53D3305E98CA6D63E2F,SHA256=946CA617CFF8D4242821B75F35C15B299ADF9AE40C92DC1113E8FB5A0DE2D865,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x8000000000000000393Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:33.538{928AB1BB-E3EC-60C1-B702-00000000C301}4360ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\a3tcqlpr.outMD5=B6425CA0AE82460C70286A457C7541F8,SHA256=8344DB2F3F632EA5B7E6E67994749F7DAEC9787C9A633DF2D32C898108193946,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:33.538{928AB1BB-E3ED-60C1-B902-00000000C301}4512ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\CSC6362029214F1483F9767D818ABF91F5.TMPMD5=DAFBCD54A7DA98B96FBA81DD6198563C,SHA256=5D9DE83C868C8CAB975734CDD899752B95D87D0AB7E0D0751D738DF1C01C4941,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000391Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.localDLL2021-06-10 10:05:33.538{928AB1BB-E3ED-60C1-B902-00000000C301}4512C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\a3tcqlpr.dll2021-06-10 10:05:33.444 23542300x8000000000000000390Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:33.538{928AB1BB-E3ED-60C1-B902-00000000C301}4512ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\a3tcqlpr.dllMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000389Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:33.538{928AB1BB-E3ED-60C1-B902-00000000C301}4512ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\ADMINI~1\AppData\Local\Temp\RES867C.tmpMD5=67BA8498C04FE8242717E8285531EDB3,SHA256=A90DF3B459113E58055BADCA081CF721269AB76C6F10D9E7AF9097906B064C98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000388Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:33.522{928AB1BB-E3ED-60C1-BA02-00000000C301}4532ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Users\ADMINI~1\AppData\Local\Temp\RES867C.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000387Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:33.522{928AB1BB-E3EC-60C1-B402-00000000C301}41724192C:\Windows\system32\conhost.exe{928AB1BB-E3ED-60C1-BA02-00000000C301}4532C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000386Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:33.522{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000385Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:33.522{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000384Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:33.522{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000383Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:33.522{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000382Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:33.522{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000381Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:33.522{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000380Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:33.522{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000379Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:33.522{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000378Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:33.522{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000377Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:33.522{928AB1BB-E349-60C1-0500-00000000C301}412532C:\Windows\system32\csrss.exe{928AB1BB-E3ED-60C1-BA02-00000000C301}4532C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000376Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:33.522{928AB1BB-E3ED-60C1-B902-00000000C301}45124516C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{928AB1BB-E3ED-60C1-BA02-00000000C301}4532C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b46d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3db4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3f2c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+4002|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27b2|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+2804|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+2948|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7fe06|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+4726f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45e1f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45b16|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45826|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1938a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18bf6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+a831|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1f0a49|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000375Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:33.527{928AB1BB-E3ED-60C1-BA02-00000000C301}4532C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RES867C.tmp" "c:\Users\Administrator\AppData\Local\Temp\CSC6362029214F1483F9767D818ABF91F5.TMP"C:\Users\Administrator\ATTACKRANGE\Administrator{928AB1BB-E3EC-60C1-35E9-0D0000000000}0xde9350HighMD5=C877CBB966EA5939AA2A17B6A5160950,SHA256=1FE531EAC592B480AA4BD16052B909C3431434F17E7AE163D248355558CE43A6,IMPHASH=55D76ADE7FFEA0F41FF2B55505C2B362{928AB1BB-E3ED-60C1-B902-00000000C301}4512C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\a3tcqlpr.cmdline" 10341000x8000000000000000374Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:33.444{928AB1BB-E3EC-60C1-B402-00000000C301}41724192C:\Windows\system32\conhost.exe{928AB1BB-E3ED-60C1-B902-00000000C301}4512C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000373Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:33.444{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000372Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:33.444{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000371Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:33.444{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000370Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:33.444{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000369Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:33.444{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000368Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:33.444{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000367Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:33.444{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000366Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:33.444{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000365Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:33.444{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000364Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:33.444{928AB1BB-E349-60C1-0500-00000000C301}412532C:\Windows\system32\csrss.exe{928AB1BB-E3ED-60C1-B902-00000000C301}4512C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000363Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:33.444{928AB1BB-E3EC-60C1-B702-00000000C301}43604460C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{928AB1BB-E3ED-60C1-B902-00000000C301}4512C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2be405|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2be05f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2bdb80|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2bdb08|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2bc1c3|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+7d8ed2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+7d894a|UNKNOWN(00007FFE6D60B6EF) 154100x8000000000000000362Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:33.451{928AB1BB-E3ED-60C1-B902-00000000C301}4512C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.8.3761.0 built by: NET48REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\a3tcqlpr.cmdline"C:\Users\Administrator\ATTACKRANGE\Administrator{928AB1BB-E3EC-60C1-35E9-0D0000000000}0xde9350HighMD5=23EE3D381CFE3B9F6229483E2CE2F9E1,SHA256=4240A12E0B246C9D69AF1F697488FE7DA1B497DF20F4A6F95135B4D5FE180A57,IMPHASH=EE1E569AD02AA1F7AECA80AC0601D80D{928AB1BB-E3EC-60C1-B702-00000000C301}4360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 11241100x8000000000000000361Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:33.444{928AB1BB-E3EC-60C1-B702-00000000C301}4360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\a3tcqlpr.cmdline2021-06-10 10:05:33.444 11241100x8000000000000000360Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.localDLL2021-06-10 10:05:33.444{928AB1BB-E3EC-60C1-B702-00000000C301}4360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\a3tcqlpr.dll2021-06-10 10:05:33.444 354300x8000000000000000359Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:31.019{928AB1BB-E36F-60C1-1F00-00000000C301}2448C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-365.attackrange.local62496-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000358Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:31.019{928AB1BB-E36F-60C1-1F00-00000000C301}2448C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-365.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-365.attackrange.local63142- 10341000x8000000000000000357Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:33.145{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000356Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:33.145{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000355Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:33.145{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000503Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:34.779{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000502Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:34.779{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000501Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:34.779{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000500Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:34.417{928AB1BB-E3EE-60C1-BC02-00000000C301}46004620C:\Windows\system32\conhost.exe{928AB1BB-E3EE-60C1-C002-00000000C301}4868C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000499Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:34.417{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000498Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:34.417{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000497Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:34.417{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000496Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:34.417{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000495Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:34.417{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000494Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:34.417{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000493Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:34.417{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000492Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:34.417{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000491Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:34.417{928AB1BB-E349-60C1-0500-00000000C301}412532C:\Windows\system32\csrss.exe{928AB1BB-E3EE-60C1-C002-00000000C301}4868C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000490Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:34.417{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000489Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:34.417{928AB1BB-E3EE-60C1-BF02-00000000C301}47724864C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{928AB1BB-E3EE-60C1-C002-00000000C301}4868C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4179|UNKNOWN(00007FFEC4B981F9)|UNKNOWN(00007FFEC400B4F2)|UNKNOWN(00007FFEC400B12D)|UNKNOWN(00007FFEC4AE35BB)|UNKNOWN(00007FFEC3FC809F)|UNKNOWN(00007FFEC402BB11)|UNKNOWN(00007FFEC400DB20)|UNKNOWN(00007FFEC400DB20)|UNKNOWN(00007FFEC400D9B1)|UNKNOWN(00007FFEC3FFE6D1)|UNKNOWN(00007FFEC400BC13)|UNKNOWN(00007FFEC400B7E0)|UNKNOWN(00007FFEC400B4F2)|UNKNOWN(00007FFEC400B12D)|UNKNOWN(00007FFEC4AE35BB)|UNKNOWN(00007FFEC3FF03D8)|UNKNOWN(00007FFEC3FEF94A) 154100x8000000000000000488Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:34.430{928AB1BB-E3EE-60C1-C002-00000000C301}4868C:\Windows\System32\chcp.com10.0.14393.0 (rs1_release.160715-1616)Change CodePage UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationCHCP.COM"C:\Windows\system32\chcp.com" 65001C:\Users\Administrator\ATTACKRANGE\Administrator{928AB1BB-E3EE-60C1-E325-0E0000000000}0xe25e30HighMD5=BA6FD5B883C0899785D17CEBE66A25F6,SHA256=9FDBDF88CF2BB2794C416E3083553F2898AC9DC92DFAC2478B4C1DF667DF7C74,IMPHASH=4FB30D6E330F3FB3DB61550BD7FA7CCD{928AB1BB-E3EE-60C1-BF02-00000000C301}4772C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 10341000x8000000000000000487Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:34.370{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E3EE-60C1-BF02-00000000C301}4772C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000486Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:34.370{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E3EE-60C1-BF02-00000000C301}4772C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x8000000000000000485Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-CreatePipe2021-06-10 10:05:34.355{928AB1BB-E3EE-60C1-BF02-00000000C301}4772\PSHost.132677931343088240.4772.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000484Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:34.355{928AB1BB-E3EE-60C1-BF02-00000000C301}4772ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_gwjs4ojk.5nk.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000483Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:34.355{928AB1BB-E3EE-60C1-BF02-00000000C301}4772ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_cmec1ps0.0w4.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000482Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:34.339{928AB1BB-E3EE-60C1-BF02-00000000C301}4772C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_cmec1ps0.0w4.ps12021-06-10 10:05:34.339 10341000x8000000000000000481Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:34.323{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3EE-60C1-BF02-00000000C301}4772C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000480Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:34.308{928AB1BB-E3EE-60C1-BC02-00000000C301}46004620C:\Windows\system32\conhost.exe{928AB1BB-E3EE-60C1-BF02-00000000C301}4772C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000479Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:34.308{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000478Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:34.308{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000477Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:34.308{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000476Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:34.308{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000475Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:34.308{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000474Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:34.308{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000473Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:34.308{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000472Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:34.308{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000471Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:34.308{928AB1BB-E349-60C1-0500-00000000C301}412532C:\Windows\system32\csrss.exe{928AB1BB-E3EE-60C1-BF02-00000000C301}4772C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000470Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:34.308{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000469Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:34.308{928AB1BB-E3EE-60C1-BE02-00000000C301}46764768C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{928AB1BB-E3EE-60C1-BF02-00000000C301}4772C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4508187(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c397b480(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c397b0bb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4453549(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c393802d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c399ba9f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c397daae(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c397daae(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c397d93f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c396e65f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c397bba1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c397b76e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c397b480(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c397b0bb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c4453549(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c3960366(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c395f8d8(wow64) 154100x8000000000000000468Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:34.308{928AB1BB-E3EE-60C1-BF02-00000000C301}4772C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA==C:\Users\Administrator\ATTACKRANGE\Administrator{928AB1BB-E3EE-60C1-E325-0E0000000000}0xe25e30HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{928AB1BB-E3EE-60C1-BE02-00000000C301}4676C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA= 10341000x8000000000000000467Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:34.260{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E3EE-60C1-BE02-00000000C301}4676C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000466Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:34.260{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E3EE-60C1-BE02-00000000C301}4676C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x8000000000000000465Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-CreatePipe2021-06-10 10:05:34.245{928AB1BB-E3EE-60C1-BE02-00000000C301}4676\PSHost.132677931341910343.4676.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000464Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:34.229{928AB1BB-E3EE-60C1-BE02-00000000C301}4676ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_kjqnb31m.cv0.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000463Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:34.229{928AB1BB-E3EE-60C1-BE02-00000000C301}4676ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_h15vj5dz.tjs.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000462Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:34.229{928AB1BB-E3EE-60C1-BE02-00000000C301}4676C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_h15vj5dz.tjs.ps12021-06-10 10:05:34.229 10341000x8000000000000000461Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:34.213{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3EE-60C1-BE02-00000000C301}4676C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000460Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:34.198{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000459Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:34.198{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000458Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:34.198{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000457Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:34.182{928AB1BB-E3EE-60C1-BC02-00000000C301}46004620C:\Windows\system32\conhost.exe{928AB1BB-E3EE-60C1-BE02-00000000C301}4676C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000456Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:34.182{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000455Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:34.182{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000454Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:34.182{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000453Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:34.182{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000452Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:34.182{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000451Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:34.182{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000450Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:34.182{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000449Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:34.182{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000448Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:34.182{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000447Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:34.182{928AB1BB-E349-60C1-0500-00000000C301}412532C:\Windows\system32\csrss.exe{928AB1BB-E3EE-60C1-BE02-00000000C301}4676C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000446Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:34.182{928AB1BB-E3EE-60C1-BD02-00000000C301}46644668C:\Windows\system32\cmd.exe{928AB1BB-E3EE-60C1-BE02-00000000C301}4676C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000445Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:34.191{928AB1BB-E3EE-60C1-BE02-00000000C301}4676C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA=C:\Users\Administrator\ATTACKRANGE\Administrator{928AB1BB-E3EE-60C1-E325-0E0000000000}0xe25e30HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{928AB1BB-E3EE-60C1-BD02-00000000C301}4664C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA= 10341000x8000000000000000444Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:34.182{928AB1BB-E3EE-60C1-BC02-00000000C301}46004620C:\Windows\system32\conhost.exe{928AB1BB-E3EE-60C1-BD02-00000000C301}4664C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000443Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:34.182{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000442Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:34.182{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:34.182{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:34.182{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:34.182{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000438Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:34.182{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000437Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:34.182{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000436Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:34.182{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000435Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:34.182{928AB1BB-E349-60C1-0500-00000000C301}412532C:\Windows\system32\csrss.exe{928AB1BB-E3EE-60C1-BD02-00000000C301}4664C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000434Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:34.182{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000433Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:34.182{928AB1BB-E3EE-60C1-BB02-00000000C301}45884644C:\Windows\system32\WinrsHost.exe{928AB1BB-E3EE-60C1-BD02-00000000C301}4664C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b 154100x8000000000000000432Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:34.185{928AB1BB-E3EE-60C1-BD02-00000000C301}4664C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA=C:\Users\Administrator\ATTACKRANGE\Administrator{928AB1BB-E3EE-60C1-E325-0E0000000000}0xe25e30HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{928AB1BB-E3EE-60C1-BB02-00000000C301}4588C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x8000000000000000431Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:34.182{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000430Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:34.182{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000429Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:34.166{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000428Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:34.150{928AB1BB-E35F-60C1-1300-00000000C301}9641504C:\Windows\system32\svchost.exe{928AB1BB-E3EE-60C1-BB02-00000000C301}4588C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x8000000000000000427Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:34.150{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3EE-60C1-BB02-00000000C301}4588C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000426Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:34.135{928AB1BB-E3EE-60C1-BC02-00000000C301}46004620C:\Windows\system32\conhost.exe{928AB1BB-E3EE-60C1-BB02-00000000C301}4588C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000425Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:34.135{928AB1BB-E349-60C1-0500-00000000C301}412532C:\Windows\system32\csrss.exe{928AB1BB-E3EE-60C1-BC02-00000000C301}4600C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000424Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:34.119{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000423Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:34.119{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000422Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:34.119{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000421Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:34.119{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000420Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:34.119{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000419Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:34.119{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000418Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:34.119{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000417Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:34.119{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000416Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:34.119{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000415Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:34.119{928AB1BB-E349-60C1-0500-00000000C301}412428C:\Windows\system32\csrss.exe{928AB1BB-E3EE-60C1-BB02-00000000C301}4588C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000414Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:34.119{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3EE-60C1-BB02-00000000C301}4588C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000413Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:34.131{928AB1BB-E3EE-60C1-BB02-00000000C301}4588C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{928AB1BB-E3EE-60C1-E325-0E0000000000}0xe25e30HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{928AB1BB-E35F-60C1-0C00-00000000C301}860C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x8000000000000000412Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:34.119{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000411Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:34.119{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000410Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:34.119{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000615Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:35.988{928AB1BB-E3EF-60C1-C602-00000000C301}5056ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000614Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:35.847{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E3EF-60C1-C602-00000000C301}5056C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:35.847{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E3EF-60C1-C602-00000000C301}5056C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x8000000000000000612Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-CreatePipe2021-06-10 10:05:35.831{928AB1BB-E3EF-60C1-C602-00000000C301}5056\PSHost.132677931357752900.5056.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000611Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:35.815{928AB1BB-E3EF-60C1-C602-00000000C301}5056ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_ocqxphoo.0ns.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000610Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:35.815{928AB1BB-E3EF-60C1-C602-00000000C301}5056ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_d551u0gj.24i.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000609Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:35.799{928AB1BB-E3EF-60C1-C602-00000000C301}5056C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_d551u0gj.24i.ps12021-06-10 10:05:35.799 10341000x8000000000000000608Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:35.799{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3EF-60C1-C602-00000000C301}5056C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000607Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:35.784{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000606Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:35.784{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000605Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:35.784{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000604Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:35.768{928AB1BB-E3EF-60C1-C402-00000000C301}49805000C:\Windows\system32\conhost.exe{928AB1BB-E3EF-60C1-C602-00000000C301}5056C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000603Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:35.768{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000602Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:35.768{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000601Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:35.768{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000600Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:35.768{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000599Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:35.768{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000598Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:35.768{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000597Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:35.768{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000596Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:35.768{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:35.768{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000594Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:35.768{928AB1BB-E349-60C1-0500-00000000C301}412428C:\Windows\system32\csrss.exe{928AB1BB-E3EF-60C1-C602-00000000C301}5056C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000593Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:35.768{928AB1BB-E3EF-60C1-C502-00000000C301}50445048C:\Windows\system32\cmd.exe{928AB1BB-E3EF-60C1-C602-00000000C301}5056C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000592Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:35.775{928AB1BB-E3EF-60C1-C602-00000000C301}5056C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUAC:\Users\Administrator\ATTACKRANGE\Administrator{928AB1BB-E3EF-60C1-7561-0E0000000000}0xe61750HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{928AB1BB-E3EF-60C1-C502-00000000C301}5044C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUA 10341000x8000000000000000591Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:35.768{928AB1BB-E3EF-60C1-C402-00000000C301}49805000C:\Windows\system32\conhost.exe{928AB1BB-E3EF-60C1-C502-00000000C301}5044C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000590Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:35.768{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000589Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:35.768{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000588Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:35.768{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000587Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:35.768{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000586Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:35.768{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000585Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:35.768{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000584Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:35.768{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000583Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:35.768{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000582Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:35.768{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000581Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:35.768{928AB1BB-E349-60C1-0500-00000000C301}412428C:\Windows\system32\csrss.exe{928AB1BB-E3EF-60C1-C502-00000000C301}5044C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000580Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:35.768{928AB1BB-E3EF-60C1-C302-00000000C301}49685024C:\Windows\system32\WinrsHost.exe{928AB1BB-E3EF-60C1-C502-00000000C301}5044C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b 154100x8000000000000000579Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:35.769{928AB1BB-E3EF-60C1-C502-00000000C301}5044C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUAC:\Users\Administrator\ATTACKRANGE\Administrator{928AB1BB-E3EF-60C1-7561-0E0000000000}0xe61750HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{928AB1BB-E3EF-60C1-C302-00000000C301}4968C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x8000000000000000578Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:35.768{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:35.752{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:35.752{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:35.737{928AB1BB-E35F-60C1-1300-00000000C301}9641256C:\Windows\system32\svchost.exe{928AB1BB-E3EF-60C1-C302-00000000C301}4968C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x8000000000000000574Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:35.721{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3EF-60C1-C302-00000000C301}4968C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:35.721{928AB1BB-E3EF-60C1-C402-00000000C301}49805000C:\Windows\system32\conhost.exe{928AB1BB-E3EF-60C1-C302-00000000C301}4968C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:35.705{928AB1BB-E349-60C1-0500-00000000C301}412428C:\Windows\system32\csrss.exe{928AB1BB-E3EF-60C1-C402-00000000C301}4980C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000571Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:35.705{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000570Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:35.705{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000569Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:35.705{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000568Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:35.705{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000567Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:35.705{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000566Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:35.705{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000565Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:35.705{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000564Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:35.705{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000563Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:35.705{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000562Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:35.705{928AB1BB-E349-60C1-0500-00000000C301}412532C:\Windows\system32\csrss.exe{928AB1BB-E3EF-60C1-C302-00000000C301}4968C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000561Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:35.705{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3EF-60C1-C302-00000000C301}4968C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000560Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:35.713{928AB1BB-E3EF-60C1-C302-00000000C301}4968C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{928AB1BB-E3EF-60C1-7561-0E0000000000}0xe61750HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{928AB1BB-E35F-60C1-0C00-00000000C301}860C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x8000000000000000559Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:35.705{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000558Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:35.705{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000557Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:35.705{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000556Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:35.564{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:35.564{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:35.564{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:35.533{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000552Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:35.533{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000551Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:35.533{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000550Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:35.501{928AB1BB-E3EE-60C1-BE02-00000000C301}4676ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000549Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:35.454{928AB1BB-E3EE-60C1-BF02-00000000C301}4772ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000548Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-SetValue2021-06-10 10:05:35.423{928AB1BB-E3EE-60C1-BF02-00000000C301}4772C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Sysmon/Operational\RetentionDWORD (0x00000000) 354300x8000000000000000547Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:34.007{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse46.128.24.7946.128.24.79.dynamic.cablesurf.de52672-false10.0.1.14win-dc-365.attackrange.local5986- 354300x8000000000000000546Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:33.038{928AB1BB-E36F-60C1-1F00-00000000C301}2448C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-365.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-365.attackrange.local64441- 354300x8000000000000000545Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:32.219{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse46.128.24.7946.128.24.79.dynamic.cablesurf.de52668-false10.0.1.14win-dc-365.attackrange.local5986- 10341000x8000000000000000544Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:35.313{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000543Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:35.313{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000542Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:35.313{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000541Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:35.187{928AB1BB-E3EE-60C1-BF02-00000000C301}4772ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\nl2d1knh.0.csMD5=054C0A1487614BA970CB949FA443FFFB,SHA256=6B88C7F565FF6B5879B03F6F3622B596B63D0C76E3EC5751390A446AF187E21D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000540Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:35.187{928AB1BB-E3EE-60C1-BF02-00000000C301}4772ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\nl2d1knh.cmdlineMD5=27785FEB87ED632A06E8654EE4024E6F,SHA256=D2CE9B3AEC1128613EA10E11906B09246775A82A160CD4162ABBB9C6A0D960AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000539Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:35.187{928AB1BB-E3EE-60C1-BF02-00000000C301}4772ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\nl2d1knh.dllMD5=F26EC578201E43D70DB2CC29B5910128,SHA256=65F0F94D6258EAA293DEA7717A13F896CBE15623C3D565472A0CE1649F8E136C,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x8000000000000000538Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:35.171{928AB1BB-E3EE-60C1-BF02-00000000C301}4772ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\nl2d1knh.pdbMD5=502F6093C3B32706560E2768CC404FA2,SHA256=BB9C015E01BEADC25CBBA65860DF4DF4B28C2A6E6329A1A7A338A9AABFDCAD60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000537Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:35.171{928AB1BB-E3EE-60C1-BF02-00000000C301}4772ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\nl2d1knh.outMD5=23624BAC7B7BC3167701560C20F45BC9,SHA256=D03172131EBB0223258637209AF0B7AE6E7FD616BF94312735EB3E522CDA4D34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000536Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:35.171{928AB1BB-E3EF-60C1-C102-00000000C301}4896ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\CSC1BEB4A1C72CE450BBA5FCAC4D47CB950.TMPMD5=A38F09AAF4A51032A5B682DB9AF72216,SHA256=604B558519F0F37F46879F65ACD35822766306C572C3C58F874490A6115906AF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000535Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.localDLL2021-06-10 10:05:35.171{928AB1BB-E3EF-60C1-C102-00000000C301}4896C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\nl2d1knh.dll2021-06-10 10:05:35.077 23542300x8000000000000000534Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:35.171{928AB1BB-E3EF-60C1-C102-00000000C301}4896ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\nl2d1knh.dllMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000533Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:35.171{928AB1BB-E3EF-60C1-C102-00000000C301}4896ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\ADMINI~1\AppData\Local\Temp\RES8CD5.tmpMD5=2670F9A9C76B62664E2F8C4A298B76E0,SHA256=17897B7B72A595C428A3EF27F9938A8B039E3321A57CBDC46149E10B41BD91AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000532Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:35.156{928AB1BB-E3EF-60C1-C202-00000000C301}4916ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Users\ADMINI~1\AppData\Local\Temp\RES8CD5.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000531Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:35.156{928AB1BB-E3EE-60C1-BC02-00000000C301}46004620C:\Windows\system32\conhost.exe{928AB1BB-E3EF-60C1-C202-00000000C301}4916C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000530Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:35.156{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000529Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:35.156{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000528Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:35.156{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000527Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:35.156{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000526Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:35.156{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000525Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:35.156{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000524Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:35.156{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000523Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:35.156{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000522Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:35.156{928AB1BB-E349-60C1-0500-00000000C301}412500C:\Windows\system32\csrss.exe{928AB1BB-E3EF-60C1-C202-00000000C301}4916C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000521Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:35.156{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000520Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:35.156{928AB1BB-E3EF-60C1-C102-00000000C301}48964900C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{928AB1BB-E3EF-60C1-C202-00000000C301}4916C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b46d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3db4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3f2c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+4002|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27b2|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+2804|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+2948|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7fe06|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+4726f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45e1f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45b16|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45826|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1938a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18bf6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+a831|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1f0a49|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000519Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:35.163{928AB1BB-E3EF-60C1-C202-00000000C301}4916C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RES8CD5.tmp" "c:\Users\Administrator\AppData\Local\Temp\CSC1BEB4A1C72CE450BBA5FCAC4D47CB950.TMP"C:\Users\Administrator\ATTACKRANGE\Administrator{928AB1BB-E3EE-60C1-E325-0E0000000000}0xe25e30HighMD5=C877CBB966EA5939AA2A17B6A5160950,SHA256=1FE531EAC592B480AA4BD16052B909C3431434F17E7AE163D248355558CE43A6,IMPHASH=55D76ADE7FFEA0F41FF2B55505C2B362{928AB1BB-E3EF-60C1-C102-00000000C301}4896C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\nl2d1knh.cmdline" 10341000x8000000000000000518Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:35.077{928AB1BB-E3EE-60C1-BC02-00000000C301}46004620C:\Windows\system32\conhost.exe{928AB1BB-E3EF-60C1-C102-00000000C301}4896C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000517Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:35.077{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000516Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:35.077{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000515Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:35.077{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000514Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:35.077{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000513Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:35.077{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000512Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:35.077{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000511Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:35.077{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000510Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:35.077{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000509Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:35.077{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000508Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:35.077{928AB1BB-E349-60C1-0500-00000000C301}412500C:\Windows\system32\csrss.exe{928AB1BB-E3EF-60C1-C102-00000000C301}4896C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000507Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:35.077{928AB1BB-E3EE-60C1-BF02-00000000C301}47724864C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{928AB1BB-E3EF-60C1-C102-00000000C301}4896C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2be405|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2be05f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2bdb80|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2bdb08|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2bc1c3|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+7d8ed2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+7d894a|UNKNOWN(00007FFE6D5FBB0F) 154100x8000000000000000506Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:35.086{928AB1BB-E3EF-60C1-C102-00000000C301}4896C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.8.3761.0 built by: NET48REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\nl2d1knh.cmdline"C:\Users\Administrator\ATTACKRANGE\Administrator{928AB1BB-E3EE-60C1-E325-0E0000000000}0xe25e30HighMD5=23EE3D381CFE3B9F6229483E2CE2F9E1,SHA256=4240A12E0B246C9D69AF1F697488FE7DA1B497DF20F4A6F95135B4D5FE180A57,IMPHASH=EE1E569AD02AA1F7AECA80AC0601D80D{928AB1BB-E3EE-60C1-BF02-00000000C301}4772C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 11241100x8000000000000000505Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:35.077{928AB1BB-E3EE-60C1-BF02-00000000C301}4772C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\nl2d1knh.cmdline2021-06-10 10:05:35.077 11241100x8000000000000000504Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.localDLL2021-06-10 10:05:35.077{928AB1BB-E3EE-60C1-BF02-00000000C301}4772C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\nl2d1knh.dll2021-06-10 10:05:35.077 10341000x8000000000000000766Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.820{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000765Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.820{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000764Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.820{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000763Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.773{928AB1BB-E3F0-60C1-CE02-00000000C301}4384ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000762Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.647{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E3F0-60C1-CE02-00000000C301}4384C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000761Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.647{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E3F0-60C1-CE02-00000000C301}4384C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x8000000000000000760Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-CreatePipe2021-06-10 10:05:36.632{928AB1BB-E3F0-60C1-CE02-00000000C301}4384\PSHost.132677931365716180.4384.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000759Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.616{928AB1BB-E3F0-60C1-CE02-00000000C301}4384ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_pkqzr0hg.0ly.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000758Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.616{928AB1BB-E3F0-60C1-CE02-00000000C301}4384ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_ss5fk5xa.f3e.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000757Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.616{928AB1BB-E3F0-60C1-CE02-00000000C301}4384C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_ss5fk5xa.f3e.ps12021-06-10 10:05:36.616 10341000x8000000000000000756Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.600{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000755Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.600{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000754Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.600{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3F0-60C1-CE02-00000000C301}4384C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000753Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.585{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000752Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.585{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000751Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.585{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000750Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.585{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000749Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.569{928AB1BB-E3F0-60C1-CC02-00000000C301}12043680C:\Windows\system32\conhost.exe{928AB1BB-E3F0-60C1-CE02-00000000C301}4384C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000748Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.569{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000747Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.569{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000746Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.569{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000745Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.569{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000744Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.569{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000743Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.569{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000742Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.569{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000741Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.569{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000740Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.569{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000739Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.569{928AB1BB-E349-60C1-0500-00000000C301}412532C:\Windows\system32\csrss.exe{928AB1BB-E3F0-60C1-CE02-00000000C301}4384C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000738Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.569{928AB1BB-E3F0-60C1-CD02-00000000C301}41484228C:\Windows\system32\cmd.exe{928AB1BB-E3F0-60C1-CE02-00000000C301}4384C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000737Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.571{928AB1BB-E3F0-60C1-CE02-00000000C301}4384C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUAC:\Users\Administrator\ATTACKRANGE\Administrator{928AB1BB-E3F0-60C1-8AAF-0E0000000000}0xeaf8a0HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{928AB1BB-E3F0-60C1-CD02-00000000C301}4148C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUA 10341000x8000000000000000736Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.553{928AB1BB-E3F0-60C1-CC02-00000000C301}12043680C:\Windows\system32\conhost.exe{928AB1BB-E3F0-60C1-CD02-00000000C301}4148C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000735Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.553{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000734Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.553{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000733Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.553{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000732Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.553{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000731Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.553{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000730Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.553{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000729Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.553{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000728Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.553{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000727Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.553{928AB1BB-E349-60C1-0500-00000000C301}412532C:\Windows\system32\csrss.exe{928AB1BB-E3F0-60C1-CD02-00000000C301}4148C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000726Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.553{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000725Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.553{928AB1BB-E3F0-60C1-CB02-00000000C301}31323000C:\Windows\system32\WinrsHost.exe{928AB1BB-E3F0-60C1-CD02-00000000C301}4148C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b 154100x8000000000000000724Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.565{928AB1BB-E3F0-60C1-CD02-00000000C301}4148C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUAC:\Users\Administrator\ATTACKRANGE\Administrator{928AB1BB-E3F0-60C1-8AAF-0E0000000000}0xeaf8a0HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{928AB1BB-E3F0-60C1-CB02-00000000C301}3132C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x8000000000000000723Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.553{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000722Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.553{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000721Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.553{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000720Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.537{928AB1BB-E35F-60C1-1300-00000000C301}9641504C:\Windows\system32\svchost.exe{928AB1BB-E3F0-60C1-CB02-00000000C301}3132C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x8000000000000000719Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.522{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3F0-60C1-CB02-00000000C301}3132C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000718Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.522{928AB1BB-E3F0-60C1-CC02-00000000C301}12043680C:\Windows\system32\conhost.exe{928AB1BB-E3F0-60C1-CB02-00000000C301}3132C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000717Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.506{928AB1BB-E349-60C1-0500-00000000C301}412532C:\Windows\system32\csrss.exe{928AB1BB-E3F0-60C1-CC02-00000000C301}1204C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000716Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.506{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000715Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.506{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000714Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.506{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000713Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.506{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000712Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.506{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000711Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.506{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000710Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.506{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000709Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.506{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000708Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.506{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000707Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.506{928AB1BB-E349-60C1-0500-00000000C301}412500C:\Windows\system32\csrss.exe{928AB1BB-E3F0-60C1-CB02-00000000C301}3132C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000706Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.506{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3F0-60C1-CB02-00000000C301}3132C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000705Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.511{928AB1BB-E3F0-60C1-CB02-00000000C301}3132C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{928AB1BB-E3F0-60C1-8AAF-0E0000000000}0xeaf8a0HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{928AB1BB-E35F-60C1-0C00-00000000C301}860C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x8000000000000000704Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.506{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000703Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.506{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000702Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.506{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000701Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.396{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000700Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.396{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000699Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.396{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000698Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.365{928AB1BB-E3F0-60C1-C802-00000000C301}2384ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000697Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.349{928AB1BB-E3F0-60C1-C902-00000000C301}3580ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000696Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.333{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E357-60C1-0700-00000000C301}488C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000695Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.333{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E357-60C1-0700-00000000C301}488C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000694Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.333{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E357-60C1-0700-00000000C301}488C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000693Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.333{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E357-60C1-0700-00000000C301}488C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000692Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.333{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E357-60C1-0700-00000000C301}488C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000691Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.333{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E357-60C1-0700-00000000C301}488C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000690Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.302{928AB1BB-E3EF-60C1-C402-00000000C301}49805000C:\Windows\system32\conhost.exe{928AB1BB-E3F0-60C1-CA02-00000000C301}2144C:\Windows\system32\shutdown.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000689Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.302{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000688Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.302{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000687Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.302{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.302{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.302{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.302{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.302{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000682Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.302{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000681Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.302{928AB1BB-E349-60C1-0500-00000000C301}412428C:\Windows\system32\csrss.exe{928AB1BB-E3F0-60C1-CA02-00000000C301}2144C:\Windows\system32\shutdown.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000680Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.302{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000679Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.302{928AB1BB-E3F0-60C1-C902-00000000C301}35803228C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{928AB1BB-E3F0-60C1-CA02-00000000C301}2144C:\Windows\system32\shutdown.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c454818c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c39bb485(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c39bb0c0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c449354e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c3978032(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c39dbaa4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c39bdab3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c39bdab3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c39bd944(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c39ae664(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c39bbba6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c39bb773(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c39bb485(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c39bb0c0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c449354e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c39a036b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+c399f8dd(wow64) 154100x8000000000000000678Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.312{928AB1BB-E3F0-60C1-CA02-00000000C301}2144C:\Windows\System32\shutdown.exe10.0.14393.0 (rs1_release.160715-1616)Windows Shutdown and Annotation ToolMicrosoft® Windows® Operating SystemMicrosoft CorporationSHUTDOWN.EXE"C:\Windows\system32\shutdown.exe" /r /t 2 /c "Reboot initiated by Ansible"C:\Users\Administrator\ATTACKRANGE\Administrator{928AB1BB-E3EF-60C1-7561-0E0000000000}0xe61750HighMD5=547993395376742A437D3145AF6B0309,SHA256=F96073C3442EA0A99B4945394007602772DB36732D1511DC2068519526678F8A,IMPHASH=609F1D7580ED496A3076AEBA77DAFC7E{928AB1BB-E3F0-60C1-C902-00000000C301}3580C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UwBlAHQALQBTAHQAcgBpAGMAdABNAG8AZABlACAALQBWAGUAcgBzAGkAbwBuACAATABhAHQAZQBzAHQACgBzAGgAdQB0AGQAbwB3AG4AIAAvAHIAIAAvAHQAIAAyACAALwBjACAAIgBSAGUAYgBvAG8AdAAgAGkAbgBpAHQAaQBhAHQAZQBkACAAYgB5ACAAQQBuAHMAaQBiAGwAZQAiAAoASQBmACAAKAAtAG4AbwB0ACAAJAA/ACkAIAB7ACAASQBmACAAKABHAGUAdAAtAFYAYQByAGkAYQBiAGwAZQAgAEwAQQBTAFQARQBYAEkAVABDAE8ARABFACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlACkAIAB7ACAAZQB4AGkAdAAgACQATABBAFMAVABFAFgASQBUAEMATwBEAEUAIAB9ACAARQBsAHMAZQAgAHsAIABlAHgAaQB0ACAAMQAgAH0AIAB9AA== 10341000x8000000000000000677Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.255{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E3F0-60C1-C902-00000000C301}3580C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.255{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E3F0-60C1-C902-00000000C301}3580C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x8000000000000000675Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-CreatePipe2021-06-10 10:05:36.239{928AB1BB-E3F0-60C1-C902-00000000C301}3580\PSHost.132677931361893627.3580.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000674Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.223{928AB1BB-E3F0-60C1-C902-00000000C301}3580ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_2xeqtelv.dxh.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.223{928AB1BB-E3F0-60C1-C902-00000000C301}3580ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_mnqbn2aw.gss.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000672Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.223{928AB1BB-E3F0-60C1-C902-00000000C301}3580C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_mnqbn2aw.gss.ps12021-06-10 10:05:36.223 10341000x8000000000000000671Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.208{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3F0-60C1-C902-00000000C301}3580C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.176{928AB1BB-E3EF-60C1-C402-00000000C301}49805000C:\Windows\system32\conhost.exe{928AB1BB-E3F0-60C1-C902-00000000C301}3580C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000669Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.176{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.176{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000667Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.176{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000666Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.176{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000665Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.176{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000664Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.176{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000663Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.176{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000662Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.176{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000661Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.176{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000660Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.176{928AB1BB-E349-60C1-0500-00000000C301}412428C:\Windows\system32\csrss.exe{928AB1BB-E3F0-60C1-C902-00000000C301}3580C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000659Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.176{928AB1BB-E3F0-60C1-C802-00000000C301}23844136C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{928AB1BB-E3F0-60C1-C902-00000000C301}3580C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+8252d649|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+819a0942|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+819a057d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+82478a0b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+8195d4ef|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+819c0f61|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+819a2f70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+819a2f70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+819a2e01|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+81993b21|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+819a1063|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+819a0c30|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+819a0942|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+819a057d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+82478a0b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+81985828|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+81984d9a 154100x8000000000000000658Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.189{928AB1BB-E3F0-60C1-C902-00000000C301}3580C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UwBlAHQALQBTAHQAcgBpAGMAdABNAG8AZABlACAALQBWAGUAcgBzAGkAbwBuACAATABhAHQAZQBzAHQACgBzAGgAdQB0AGQAbwB3AG4AIAAvAHIAIAAvAHQAIAAyACAALwBjACAAIgBSAGUAYgBvAG8AdAAgAGkAbgBpAHQAaQBhAHQAZQBkACAAYgB5ACAAQQBuAHMAaQBiAGwAZQAiAAoASQBmACAAKAAtAG4AbwB0ACAAJAA/ACkAIAB7ACAASQBmACAAKABHAGUAdAAtAFYAYQByAGkAYQBiAGwAZQAgAEwAQQBTAFQARQBYAEkAVABDAE8ARABFACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlACkAIAB7ACAAZQB4AGkAdAAgACQATABBAFMAVABFAFgASQBUAEMATwBEAEUAIAB9ACAARQBsAHMAZQAgAHsAIABlAHgAaQB0ACAAMQAgAH0AIAB9AA==C:\Users\Administrator\ATTACKRANGE\Administrator{928AB1BB-E3EF-60C1-7561-0E0000000000}0xe61750HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{928AB1BB-E3F0-60C1-C802-00000000C301}2384C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAAVQB3AEIAbABBAEgAUQBBAEwAUQBCAFQAQQBIAFEAQQBjAGcAQgBwAEEARwBNAEEAZABBAEIATgBBAEcAOABBAFoAQQBCAGwAQQBDAEEAQQBMAFEAQgBXAEEARwBVAEEAYwBnAEIAegBBAEcAawBBAGIAdwBCAHUAQQBDAEEAQQBUAEEAQgBoAEEASABRAEEAWgBRAEIAegBBAEgAUQBBAEMAZwBCAHoAQQBHAGcAQQBkAFEAQgAwAEEARwBRAEEAYgB3AEIAMwBBAEcANABBAEkAQQBBAHYAQQBIAEkAQQBJAEEAQQB2AEEASABRAEEASQBBAEEAeQBBAEMAQQBBAEwAdwBCAGoAQQBDAEEAQQBJAGcAQgBTAEEARwBVAEEAWQBnAEIAdgBBAEcAOABBAGQAQQBBAGcAQQBHAGsAQQBiAGcAQgBwAEEASABRAEEAYQBRAEIAaABBAEgAUQBBAFoAUQBCAGsAQQBDAEEAQQBZAGcAQgA1AEEAQwBBAEEAUQBRAEIAdQBBAEgATQBBAGEAUQBCAGkAQQBHAHcAQQBaAFEAQQBpAEEAQQBvAEEAUwBRAEIAbQBBAEMAQQBBAEsAQQBBAHQAQQBHADQAQQBiAHcAQgAwAEEAQwBBAEEASgBBAEEALwBBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBTAFEAQgBtAEEAQwBBAEEASwBBAEIASABBAEcAVQBBAGQAQQBBAHQAQQBGAFkAQQBZAFEAQgB5AEEARwBrAEEAWQBRAEIAaQBBAEcAdwBBAFoAUQBBAGcAQQBFAHcAQQBRAFEAQgBUAEEARgBRAEEAUgBRAEIAWQBBAEUAawBBAFYAQQBCAEQAQQBFADgAQQBSAEEAQgBGAEEAQwBBAEEATABRAEIARgBBAEgASQBBAGMAZwBCAHYAQQBIAEkAQQBRAFEAQgBqAEEASABRAEEAYQBRAEIAdgBBAEcANABBAEkAQQBCAFQAQQBHAGsAQQBiAEEAQgBsAEEARwA0AEEAZABBAEIAcwBBAEgAawBBAFEAdwBCAHYAQQBHADQAQQBkAEEAQgBwAEEARwA0AEEAZABRAEIAbABBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBaAFEAQgA0AEEARwBrAEEAZABBAEEAZwBBAEMAUQBBAFQAQQBCAEIAQQBGAE0AQQBWAEEAQgBGAEEARgBnAEEAUwBRAEIAVQBBAEUATQBBAFQAdwBCAEUAQQBFAFUAQQBJAEEAQgA5AEEAQwBBAEEAUgBRAEIAcwBBAEgATQBBAFoAUQBBAGcAQQBIAHMAQQBJAEEAQgBsAEEASABnAEEAYQBRAEIAMABBAEMAQQBBAE0AUQBBAGcAQQBIADAAQQBJAEEAQgA5AEEAQQA9AD0A 10341000x8000000000000000657Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.145{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E3F0-60C1-C802-00000000C301}2384C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000656Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.145{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E3F0-60C1-C802-00000000C301}2384C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x8000000000000000655Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-CreatePipe2021-06-10 10:05:36.129{928AB1BB-E3F0-60C1-C802-00000000C301}2384\PSHost.132677931360745547.2384.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000654Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.114{928AB1BB-E3F0-60C1-C802-00000000C301}2384ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_ykcwxtf3.xvk.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000653Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.114{928AB1BB-E3F0-60C1-C802-00000000C301}2384ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_ahktj0i5.g2t.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000652Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.098{928AB1BB-E3F0-60C1-C802-00000000C301}2384C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_ahktj0i5.g2t.ps12021-06-10 10:05:36.098 10341000x8000000000000000651Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.098{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3F0-60C1-C802-00000000C301}2384C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.082{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.082{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.082{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000647Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.066{928AB1BB-E3EF-60C1-C402-00000000C301}49805000C:\Windows\system32\conhost.exe{928AB1BB-E3F0-60C1-C802-00000000C301}2384C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000646Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.066{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000645Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.066{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000644Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.066{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000643Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.066{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000642Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.066{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000641Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.066{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000640Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.066{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000639Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.066{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000638Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.066{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000637Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.066{928AB1BB-E349-60C1-0500-00000000C301}412428C:\Windows\system32\csrss.exe{928AB1BB-E3F0-60C1-C802-00000000C301}2384C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000636Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.066{928AB1BB-E3F0-60C1-C702-00000000C301}37123804C:\Windows\system32\cmd.exe{928AB1BB-E3F0-60C1-C802-00000000C301}2384C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000635Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.074{928AB1BB-E3F0-60C1-C802-00000000C301}2384C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAAVQB3AEIAbABBAEgAUQBBAEwAUQBCAFQAQQBIAFEAQQBjAGcAQgBwAEEARwBNAEEAZABBAEIATgBBAEcAOABBAFoAQQBCAGwAQQBDAEEAQQBMAFEAQgBXAEEARwBVAEEAYwBnAEIAegBBAEcAawBBAGIAdwBCAHUAQQBDAEEAQQBUAEEAQgBoAEEASABRAEEAWgBRAEIAegBBAEgAUQBBAEMAZwBCAHoAQQBHAGcAQQBkAFEAQgAwAEEARwBRAEEAYgB3AEIAMwBBAEcANABBAEkAQQBBAHYAQQBIAEkAQQBJAEEAQQB2AEEASABRAEEASQBBAEEAeQBBAEMAQQBBAEwAdwBCAGoAQQBDAEEAQQBJAGcAQgBTAEEARwBVAEEAWQBnAEIAdgBBAEcAOABBAGQAQQBBAGcAQQBHAGsAQQBiAGcAQgBwAEEASABRAEEAYQBRAEIAaABBAEgAUQBBAFoAUQBCAGsAQQBDAEEAQQBZAGcAQgA1AEEAQwBBAEEAUQBRAEIAdQBBAEgATQBBAGEAUQBCAGkAQQBHAHcAQQBaAFEAQQBpAEEAQQBvAEEAUwBRAEIAbQBBAEMAQQBBAEsAQQBBAHQAQQBHADQAQQBiAHcAQgAwAEEAQwBBAEEASgBBAEEALwBBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBTAFEAQgBtAEEAQwBBAEEASwBBAEIASABBAEcAVQBBAGQAQQBBAHQAQQBGAFkAQQBZAFEAQgB5AEEARwBrAEEAWQBRAEIAaQBBAEcAdwBBAFoAUQBBAGcAQQBFAHcAQQBRAFEAQgBUAEEARgBRAEEAUgBRAEIAWQBBAEUAawBBAFYAQQBCAEQAQQBFADgAQQBSAEEAQgBGAEEAQwBBAEEATABRAEIARgBBAEgASQBBAGMAZwBCAHYAQQBIAEkAQQBRAFEAQgBqAEEASABRAEEAYQBRAEIAdgBBAEcANABBAEkAQQBCAFQAQQBHAGsAQQBiAEEAQgBsAEEARwA0AEEAZABBAEIAcwBBAEgAawBBAFEAdwBCAHYAQQBHADQAQQBkAEEAQgBwAEEARwA0AEEAZABRAEIAbABBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBaAFEAQgA0AEEARwBrAEEAZABBAEEAZwBBAEMAUQBBAFQAQQBCAEIAQQBGAE0AQQBWAEEAQgBGAEEARgBnAEEAUwBRAEIAVQBBAEUATQBBAFQAdwBCAEUAQQBFAFUAQQBJAEEAQgA5AEEAQwBBAEEAUgBRAEIAcwBBAEgATQBBAFoAUQBBAGcAQQBIAHMAQQBJAEEAQgBsAEEASABnAEEAYQBRAEIAMABBAEMAQQBBAE0AUQBBAGcAQQBIADAAQQBJAEEAQgA5AEEAQQA9AD0AC:\Users\Administrator\ATTACKRANGE\Administrator{928AB1BB-E3EF-60C1-7561-0E0000000000}0xe61750HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{928AB1BB-E3F0-60C1-C702-00000000C301}3712C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAAVQB3AEIAbABBAEgAUQBBAEwAUQBCAFQAQQBIAFEAQQBjAGcAQgBwAEEARwBNAEEAZABBAEIATgBBAEcAOABBAFoAQQBCAGwAQQBDAEEAQQBMAFEAQgBXAEEARwBVAEEAYwBnAEIAegBBAEcAawBBAGIAdwBCAHUAQQBDAEEAQQBUAEEAQgBoAEEASABRAEEAWgBRAEIAegBBAEgAUQBBAEMAZwBCAHoAQQBHAGcAQQBkAFEAQgAwAEEARwBRAEEAYgB3AEIAMwBBAEcANABBAEkAQQBBAHYAQQBIAEkAQQBJAEEAQQB2AEEASABRAEEASQBBAEEAeQBBAEMAQQBBAEwAdwBCAGoAQQBDAEEAQQBJAGcAQgBTAEEARwBVAEEAWQBnAEIAdgBBAEcAOABBAGQAQQBBAGcAQQBHAGsAQQBiAGcAQgBwAEEASABRAEEAYQBRAEIAaABBAEgAUQBBAFoAUQBCAGsAQQBDAEEAQQBZAGcAQgA1AEEAQwBBAEEAUQBRAEIAdQBBAEgATQBBAGEAUQBCAGkAQQBHAHcAQQBaAFEAQQBpAEEAQQBvAEEAUwBRAEIAbQBBAEMAQQBBAEsAQQBBAHQAQQBHADQAQQBiAHcAQgAwAEEAQwBBAEEASgBBAEEALwBBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBTAFEAQgBtAEEAQwBBAEEASwBBAEIASABBAEcAVQBBAGQAQQBBAHQAQQBGAFkAQQBZAFEAQgB5AEEARwBrAEEAWQBRAEIAaQBBAEcAdwBBAFoAUQBBAGcAQQBFAHcAQQBRAFEAQgBUAEEARgBRAEEAUgBRAEIAWQBBAEUAawBBAFYAQQBCAEQAQQBFADgAQQBSAEEAQgBGAEEAQwBBAEEATABRAEIARgBBAEgASQBBAGMAZwBCAHYAQQBIAEkAQQBRAFEAQgBqAEEASABRAEEAYQBRAEIAdgBBAEcANABBAEkAQQBCAFQAQQBHAGsAQQBiAEEAQgBsAEEARwA0AEEAZABBAEIAcwBBAEgAawBBAFEAdwBCAHYAQQBHADQAQQBkAEEAQgBwAEEARwA0AEEAZABRAEIAbABBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBaAFEAQgA0AEEARwBrAEEAZABBAEEAZwBBAEMAUQBBAFQAQQBCAEIAQQBGAE0AQQBWAEEAQgBGAEEARgBnAEEAUwBRAEIAVQBBAEUATQBBAFQAdwBCAEUAQQBFAFUAQQBJAEEAQgA5AEEAQwBBAEEAUgBRAEIAcwBBAEgATQBBAFoAUQBBAGcAQQBIAHMAQQBJAEEAQgBsAEEASABnAEEAYQBRAEIAMABBAEMAQQBBAE0AUQBBAGcAQQBIADAAQQBJAEEAQgA5AEEAQQA9AD0A 10341000x8000000000000000634Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.066{928AB1BB-E3EF-60C1-C402-00000000C301}49805000C:\Windows\system32\conhost.exe{928AB1BB-E3F0-60C1-C702-00000000C301}3712C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000633Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.066{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000632Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.066{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000631Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.066{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000630Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.066{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000629Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.066{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000628Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.066{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000627Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.066{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000626Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.066{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.066{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.066{928AB1BB-E349-60C1-0500-00000000C301}412428C:\Windows\system32\csrss.exe{928AB1BB-E3F0-60C1-C702-00000000C301}3712C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000623Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.066{928AB1BB-E3EF-60C1-C302-00000000C301}49685024C:\Windows\system32\WinrsHost.exe{928AB1BB-E3F0-60C1-C702-00000000C301}3712C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b 154100x8000000000000000622Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.069{928AB1BB-E3F0-60C1-C702-00000000C301}3712C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAAVQB3AEIAbABBAEgAUQBBAEwAUQBCAFQAQQBIAFEAQQBjAGcAQgBwAEEARwBNAEEAZABBAEIATgBBAEcAOABBAFoAQQBCAGwAQQBDAEEAQQBMAFEAQgBXAEEARwBVAEEAYwBnAEIAegBBAEcAawBBAGIAdwBCAHUAQQBDAEEAQQBUAEEAQgBoAEEASABRAEEAWgBRAEIAegBBAEgAUQBBAEMAZwBCAHoAQQBHAGcAQQBkAFEAQgAwAEEARwBRAEEAYgB3AEIAMwBBAEcANABBAEkAQQBBAHYAQQBIAEkAQQBJAEEAQQB2AEEASABRAEEASQBBAEEAeQBBAEMAQQBBAEwAdwBCAGoAQQBDAEEAQQBJAGcAQgBTAEEARwBVAEEAWQBnAEIAdgBBAEcAOABBAGQAQQBBAGcAQQBHAGsAQQBiAGcAQgBwAEEASABRAEEAYQBRAEIAaABBAEgAUQBBAFoAUQBCAGsAQQBDAEEAQQBZAGcAQgA1AEEAQwBBAEEAUQBRAEIAdQBBAEgATQBBAGEAUQBCAGkAQQBHAHcAQQBaAFEAQQBpAEEAQQBvAEEAUwBRAEIAbQBBAEMAQQBBAEsAQQBBAHQAQQBHADQAQQBiAHcAQgAwAEEAQwBBAEEASgBBAEEALwBBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBTAFEAQgBtAEEAQwBBAEEASwBBAEIASABBAEcAVQBBAGQAQQBBAHQAQQBGAFkAQQBZAFEAQgB5AEEARwBrAEEAWQBRAEIAaQBBAEcAdwBBAFoAUQBBAGcAQQBFAHcAQQBRAFEAQgBUAEEARgBRAEEAUgBRAEIAWQBBAEUAawBBAFYAQQBCAEQAQQBFADgAQQBSAEEAQgBGAEEAQwBBAEEATABRAEIARgBBAEgASQBBAGMAZwBCAHYAQQBIAEkAQQBRAFEAQgBqAEEASABRAEEAYQBRAEIAdgBBAEcANABBAEkAQQBCAFQAQQBHAGsAQQBiAEEAQgBsAEEARwA0AEEAZABBAEIAcwBBAEgAawBBAFEAdwBCAHYAQQBHADQAQQBkAEEAQgBwAEEARwA0AEEAZABRAEIAbABBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBaAFEAQgA0AEEARwBrAEEAZABBAEEAZwBBAEMAUQBBAFQAQQBCAEIAQQBGAE0AQQBWAEEAQgBGAEEARgBnAEEAUwBRAEIAVQBBAEUATQBBAFQAdwBCAEUAQQBFAFUAQQBJAEEAQgA5AEEAQwBBAEEAUgBRAEIAcwBBAEgATQBBAFoAUQBBAGcAQQBIAHMAQQBJAEEAQgBsAEEASABnAEEAYQBRAEIAMABBAEMAQQBBAE0AUQBBAGcAQQBIADAAQQBJAEEAQgA5AEEAQQA9AD0AC:\Users\Administrator\ATTACKRANGE\Administrator{928AB1BB-E3EF-60C1-7561-0E0000000000}0xe61750HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{928AB1BB-E3EF-60C1-C302-00000000C301}4968C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x8000000000000000621Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.066{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000620Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.066{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000619Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.051{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000618Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.035{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000617Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.035{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000616Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.035{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000778Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:37.778{928AB1BB-E3CF-60C1-2002-00000000C301}3352NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=51F906C4790E15A3B340D4895F19B519,SHA256=02D7CC25488669401E35EF060DF86293B14B91C49514513822CA865EFF7F4EAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000777Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:37.778{928AB1BB-E3CF-60C1-2002-00000000C301}3352NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=5403CA973472786B870242B75DA18F99,SHA256=94494166308F70C0A96F685787DAA9E4A3CE015FD4CF29B6600CA44373AF8263,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000776Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.526{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52402-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x8000000000000000775Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.526{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52402-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 10341000x8000000000000000774Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:37.621{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000773Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:37.621{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000772Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:37.621{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000771Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:37.621{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000770Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:37.621{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1600-00000000C301}1264C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000769Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:37.621{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1600-00000000C301}1264C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000768Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.383{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse46.128.24.7946.128.24.79.dynamic.cablesurf.de52676-false10.0.1.14win-dc-365.attackrange.local5986- 354300x8000000000000000767Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:35.579{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse46.128.24.7946.128.24.79.dynamic.cablesurf.de52675-false10.0.1.14win-dc-365.attackrange.local5986- 10341000x8000000000000000875Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:38.846{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000874Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:38.846{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000873Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:38.846{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000872Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:38.799{928AB1BB-E3F2-60C1-D202-00000000C301}4308ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000871Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:37.554{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52406-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x8000000000000000870Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:37.554{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52406-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 10341000x8000000000000000869Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:38.658{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000868Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:38.642{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000867Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:38.642{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000866Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:38.642{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x8000000000000000865Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:38.642{928AB1BB-E3CF-60C1-2002-00000000C301}3352NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=51F906C4790E15A3B340D4895F19B519,SHA256=02D7CC25488669401E35EF060DF86293B14B91C49514513822CA865EFF7F4EAB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000864Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:38.614{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E3F2-60C1-D202-00000000C301}4308C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000863Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:38.614{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E3F2-60C1-D202-00000000C301}4308C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x8000000000000000862Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-CreatePipe2021-06-10 10:05:38.579{928AB1BB-E3F2-60C1-D202-00000000C301}4308\PSHost.132677931385319227.4308.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000861Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:38.579{928AB1BB-E3F2-60C1-D202-00000000C301}4308ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_bbf3x1hk.aiw.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000860Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:38.579{928AB1BB-E3F2-60C1-D202-00000000C301}4308ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_2xis2w3w.kdu.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000859Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:38.563{928AB1BB-E3F2-60C1-D202-00000000C301}4308C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_2xis2w3w.kdu.ps12021-06-10 10:05:38.563 10341000x8000000000000000858Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:38.547{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3F2-60C1-D202-00000000C301}4308C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000857Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:38.547{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000856Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:38.547{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000855Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:38.532{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000854Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:38.532{928AB1BB-E3F2-60C1-D002-00000000C301}45564580C:\Windows\system32\conhost.exe{928AB1BB-E3F2-60C1-D202-00000000C301}4308C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000853Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:38.532{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000852Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:38.532{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000851Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:38.532{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000850Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:38.532{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000849Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:38.532{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000848Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:38.532{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000847Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:38.532{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000846Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:38.532{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000845Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:38.532{928AB1BB-E349-60C1-0500-00000000C301}412532C:\Windows\system32\csrss.exe{928AB1BB-E3F2-60C1-D202-00000000C301}4308C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000844Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:38.532{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000843Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:38.516{928AB1BB-E3F2-60C1-D102-00000000C301}42804284C:\Windows\system32\cmd.exe{928AB1BB-E3F2-60C1-D202-00000000C301}4308C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000842Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:38.531{928AB1BB-E3F2-60C1-D202-00000000C301}4308C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUAC:\Users\Administrator\ATTACKRANGE\Administrator{928AB1BB-E3F2-60C1-DED4-0E0000000000}0xed4de0HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{928AB1BB-E3F2-60C1-D102-00000000C301}4280C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUA 10341000x8000000000000000841Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:38.516{928AB1BB-E3F2-60C1-D002-00000000C301}45564580C:\Windows\system32\conhost.exe{928AB1BB-E3F2-60C1-D102-00000000C301}4280C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000840Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:38.516{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000839Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:38.516{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000838Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:38.516{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000837Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:38.516{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000836Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:38.516{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000835Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:38.516{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000834Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:38.516{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000833Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:38.516{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000832Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:38.516{928AB1BB-E349-60C1-0500-00000000C301}412532C:\Windows\system32\csrss.exe{928AB1BB-E3F2-60C1-D102-00000000C301}4280C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000831Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:38.516{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000830Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:38.516{928AB1BB-E3F2-60C1-CF02-00000000C301}44484272C:\Windows\system32\WinrsHost.exe{928AB1BB-E3F2-60C1-D102-00000000C301}4280C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b 154100x8000000000000000829Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:38.525{928AB1BB-E3F2-60C1-D102-00000000C301}4280C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUAC:\Users\Administrator\ATTACKRANGE\Administrator{928AB1BB-E3F2-60C1-DED4-0E0000000000}0xed4de0HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{928AB1BB-E3F2-60C1-CF02-00000000C301}4448C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x8000000000000000828Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:38.516{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000827Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:38.516{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000826Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:38.516{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000825Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:37.179{928AB1BB-E36F-60C1-1F00-00000000C301}2448C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-365.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-365.attackrange.local59462- 354300x8000000000000000824Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:37.179{928AB1BB-E36F-60C1-1F00-00000000C301}2448C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-365.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-365.attackrange.local57955- 354300x8000000000000000823Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:37.178{928AB1BB-E36F-60C1-1F00-00000000C301}2448C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-365.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-365.attackrange.local63783- 10341000x8000000000000000822Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:38.485{928AB1BB-E35F-60C1-1300-00000000C301}9641824C:\Windows\system32\svchost.exe{928AB1BB-E3F2-60C1-CF02-00000000C301}4448C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x8000000000000000821Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:38.485{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3F2-60C1-CF02-00000000C301}4448C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000820Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:38.469{928AB1BB-E3F2-60C1-D002-00000000C301}45564580C:\Windows\system32\conhost.exe{928AB1BB-E3F2-60C1-CF02-00000000C301}4448C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000819Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:38.469{928AB1BB-E349-60C1-0500-00000000C301}412532C:\Windows\system32\csrss.exe{928AB1BB-E3F2-60C1-D002-00000000C301}4556C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000818Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:38.453{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000817Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:38.453{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000816Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:38.453{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000815Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:38.453{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000814Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:38.453{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000813Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:38.453{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000812Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:38.453{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000811Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:38.453{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:38.453{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:38.453{928AB1BB-E349-60C1-0500-00000000C301}412500C:\Windows\system32\csrss.exe{928AB1BB-E3F2-60C1-CF02-00000000C301}4448C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000808Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:38.453{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3F2-60C1-CF02-00000000C301}4448C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000807Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:38.465{928AB1BB-E3F2-60C1-CF02-00000000C301}4448C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{928AB1BB-E3F2-60C1-DED4-0E0000000000}0xed4de0HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{928AB1BB-E35F-60C1-0C00-00000000C301}860C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x8000000000000000806Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:38.453{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:38.453{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000804Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:38.453{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000803Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:38.343{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E357-60C1-0700-00000000C301}488C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000802Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:38.343{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E357-60C1-0700-00000000C301}488C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000801Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:38.343{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E357-60C1-0700-00000000C301}488C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000800Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:38.343{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E357-60C1-0700-00000000C301}488C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000799Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:38.343{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E357-60C1-0700-00000000C301}488C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000798Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:38.343{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E357-60C1-0700-00000000C301}488C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000797Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:38.343{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E357-60C1-0700-00000000C301}488C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000796Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:38.343{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E357-60C1-0700-00000000C301}488C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000795Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:38.343{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E357-60C1-0700-00000000C301}488C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000794Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:38.343{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E357-60C1-0700-00000000C301}488C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+5d917|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000793Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:38.343{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E357-60C1-0700-00000000C301}488C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000792Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:38.343{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E357-60C1-0700-00000000C301}488C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000791Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:38.343{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E357-60C1-0700-00000000C301}488C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000790Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:38.343{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E357-60C1-0700-00000000C301}488C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000789Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:38.343{928AB1BB-E35F-60C1-0C00-00000000C301}860888C:\Windows\system32\svchost.exe{928AB1BB-E357-60C1-0700-00000000C301}488C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000788Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:37.101{928AB1BB-E35F-60C1-0D00-00000000C301}920C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetrue0:0:0:0:0:0:0:1win-dc-365.attackrange.local52405-true0:0:0:0:0:0:0:1win-dc-365.attackrange.local135epmap 354300x8000000000000000787Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:37.101{928AB1BB-E35D-60C1-0B00-00000000C301}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-365.attackrange.local52405-true0:0:0:0:0:0:0:1win-dc-365.attackrange.local135epmap 354300x8000000000000000786Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.546{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1-52404-true2001:0:2851:782c:1039:10bb:f5ff:fef1-445microsoft-ds 354300x8000000000000000785Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.546{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1-52404-true2001:0:2851:782c:1039:10bb:f5ff:fef1-445microsoft-ds 354300x8000000000000000784Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.542{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52403-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x8000000000000000783Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.542{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52403-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 22542200x8000000000000000782Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.555{928AB1BB-E35F-60C1-1000-00000000C301}8win-dc-365.attackrange.local0fe80::103f:51d:2a6e:90ce;fe80::1039:10bb:f5ff:fef1;2001:0:2851:782c:1039:10bb:f5ff:fef1;::ffff:10.0.1.14;C:\Windows\System32\svchost.exe 22542200x8000000000000000781Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.552{928AB1BB-E36F-60C1-2500-00000000C301}2684win-dc-365.attackrange.local0fe80::103f:51d:2a6e:90ce;fe80::1039:10bb:f5ff:fef1;2001:0:2851:782c:1039:10bb:f5ff:fef1;::ffff:10.0.1.14;C:\Windows\System32\dfssvc.exe 22542200x8000000000000000780Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.550{928AB1BB-E36F-60C1-2500-00000000C301}2684_ldap._tcp.dc._msdcs.attackrange.local.0type: 33 ;10.0.1.14;C:\Windows\System32\dfssvc.exe 22542200x8000000000000000779Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:36.537{928AB1BB-E35F-60C1-1000-00000000C301}8attackrange.local0::ffff:10.0.1.14;C:\Windows\System32\svchost.exe 354300x8000000000000000897Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:38.576{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1-52411-truefe80:0:0:0:1039:10bb:f5ff:fef1-445microsoft-ds 354300x8000000000000000896Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:38.576{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1-52411-truefe80:0:0:0:1039:10bb:f5ff:fef1-445microsoft-ds 354300x8000000000000000895Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:38.570{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52410-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x8000000000000000894Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:38.570{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52410-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 10341000x8000000000000000893Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:39.709{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000892Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:39.694{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000891Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:39.694{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000890Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:39.694{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x8000000000000000889Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:38.326{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse46.128.24.7946.128.24.79.dynamic.cablesurf.de52677-false10.0.1.14win-dc-365.attackrange.local5986- 354300x8000000000000000888Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:38.109{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10e:2410:5748:9810:5884:83d2:ffff-63767-truee000:fc:0:88:85e8:0:8b:ceb8-5355llmnr 354300x8000000000000000887Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:38.109{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local63767-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x8000000000000000886Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:38.100{928AB1BB-E36F-60C1-1F00-00000000C301}2448C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-365.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-365.attackrange.local54286- 354300x8000000000000000885Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:37.563{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52409-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x8000000000000000884Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:37.563{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52409-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x8000000000000000883Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:37.560{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52408-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x8000000000000000882Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:37.560{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52408-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x8000000000000000881Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:37.557{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1-52407-truefe80:0:0:0:1039:10bb:f5ff:fef1-445microsoft-ds 354300x8000000000000000880Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:37.557{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1-52407-truefe80:0:0:0:1039:10bb:f5ff:fef1-445microsoft-ds 22542200x8000000000000000879Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:37.505{928AB1BB-E35F-60C1-1100-00000000C301}404wpad9003-C:\Windows\System32\svchost.exe 22542200x8000000000000000878Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:37.193{928AB1BB-E35D-60C1-0B00-00000000C301}632_ldap._tcp.2967af94-a616-4dcb-90e6-05a4f1975e52.domains._msdcs.attackrange.local.0type: 33 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x8000000000000000877Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:37.193{928AB1BB-E35D-60C1-0B00-00000000C301}632_ldap._tcp.dc._msdcs.attackrange.local.0type: 33 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x8000000000000000876Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:37.192{928AB1BB-E35D-60C1-0B00-00000000C301}632_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.attackrange.local.0type: 33 ;10.0.1.14;C:\Windows\System32\lsass.exe 354300x8000000000000000913Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:39.619{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52415-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x8000000000000000912Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:39.619{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52415-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x8000000000000000911Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:39.616{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52414-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x8000000000000000910Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:39.616{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52414-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 10341000x8000000000000000909Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:40.730{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000908Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:40.730{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000907Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:40.730{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000906Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:40.730{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x8000000000000000905Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:39.272{928AB1BB-E36F-60C1-1F00-00000000C301}2448C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-365.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-365.attackrange.local64502- 354300x8000000000000000904Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:39.272{928AB1BB-E36F-60C1-1F00-00000000C301}2448C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-365.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-365.attackrange.local56632- 354300x8000000000000000903Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:39.271{928AB1BB-E36F-60C1-1F00-00000000C301}2448C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-365.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-365.attackrange.local65316- 354300x8000000000000000902Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:38.586{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52413-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x8000000000000000901Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:38.586{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52413-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x8000000000000000900Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:38.579{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52412-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x8000000000000000899Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:38.579{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52412-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 23542300x8000000000000000898Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:40.212{928AB1BB-E3CF-60C1-2002-00000000C301}3352NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=8EA7597D8A48C68CD43E1A889169E42D,SHA256=ADB08403608C82B8BCA3D3BEB73C769663A85EFF181A2906D2271CE1EBED856C,IMPHASH=00000000000000000000000000000000falsetrue 17141700x8000000000000000982Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-CreatePipe2021-06-10 10:05:41.970{928AB1BB-E3F5-60C1-D602-00000000C301}4800\PSHost.132677931419241615.4800.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000981Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:41.970{928AB1BB-E3F5-60C1-D602-00000000C301}4800ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_ygwv1zmy.5y0.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:41.970{928AB1BB-E3F5-60C1-D602-00000000C301}4800ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_sua0tymh.34v.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000979Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:41.954{928AB1BB-E3F5-60C1-D602-00000000C301}4800C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_sua0tymh.34v.ps12021-06-10 10:05:41.954 10341000x8000000000000000978Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:41.939{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3F5-60C1-D602-00000000C301}4800C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:41.939{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:41.939{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:41.939{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000974Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:41.923{928AB1BB-E3F5-60C1-D402-00000000C301}48724924C:\Windows\system32\conhost.exe{928AB1BB-E3F5-60C1-D602-00000000C301}4800C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000973Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:41.923{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000972Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:41.923{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000971Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:41.923{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000970Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:41.923{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000969Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:41.923{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000968Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:41.923{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000967Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:41.923{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000966Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:41.923{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000965Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:41.923{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000964Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:41.923{928AB1BB-E349-60C1-0500-00000000C301}412500C:\Windows\system32\csrss.exe{928AB1BB-E3F5-60C1-D602-00000000C301}4800C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000963Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:41.923{928AB1BB-E3F5-60C1-D502-00000000C301}47884784C:\Windows\system32\cmd.exe{928AB1BB-E3F5-60C1-D602-00000000C301}4800C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000962Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:41.924{928AB1BB-E3F5-60C1-D602-00000000C301}4800C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUAC:\Users\Administrator\ATTACKRANGE\Administrator{928AB1BB-E3F5-60C1-64FA-0E0000000000}0xefa640HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{928AB1BB-E3F5-60C1-D502-00000000C301}4788C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUA 354300x8000000000000000961Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:40.651{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52419-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x8000000000000000960Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:40.651{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52419-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x8000000000000000959Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:40.648{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52418-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x8000000000000000958Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:40.648{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52418-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 10341000x8000000000000000957Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:41.907{928AB1BB-E3F5-60C1-D402-00000000C301}48724924C:\Windows\system32\conhost.exe{928AB1BB-E3F5-60C1-D502-00000000C301}4788C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000956Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:41.907{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000955Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:41.907{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000954Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:41.907{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000953Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:41.907{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000952Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:41.907{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000951Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:41.907{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000950Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:41.907{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000949Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:41.907{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000948Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:41.907{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000947Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:41.907{928AB1BB-E349-60C1-0500-00000000C301}412500C:\Windows\system32\csrss.exe{928AB1BB-E3F5-60C1-D502-00000000C301}4788C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000946Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:41.907{928AB1BB-E3F5-60C1-D302-00000000C301}48884900C:\Windows\system32\WinrsHost.exe{928AB1BB-E3F5-60C1-D502-00000000C301}4788C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b 154100x8000000000000000945Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:41.918{928AB1BB-E3F5-60C1-D502-00000000C301}4788C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUAC:\Users\Administrator\ATTACKRANGE\Administrator{928AB1BB-E3F5-60C1-64FA-0E0000000000}0xefa640HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{928AB1BB-E3F5-60C1-D302-00000000C301}4888C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x8000000000000000944Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:41.907{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000943Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:41.907{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000942Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:41.907{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000941Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:41.892{928AB1BB-E35F-60C1-1300-00000000C301}9641504C:\Windows\system32\svchost.exe{928AB1BB-E3F5-60C1-D302-00000000C301}4888C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x8000000000000000940Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:41.876{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3F5-60C1-D302-00000000C301}4888C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000939Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:41.860{928AB1BB-E3F5-60C1-D402-00000000C301}48724924C:\Windows\system32\conhost.exe{928AB1BB-E3F5-60C1-D302-00000000C301}4888C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000938Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:41.860{928AB1BB-E349-60C1-0500-00000000C301}412500C:\Windows\system32\csrss.exe{928AB1BB-E3F5-60C1-D402-00000000C301}4872C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000937Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:41.860{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000936Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:41.860{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000935Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:41.860{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000934Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:41.860{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000933Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:41.860{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000932Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:41.860{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000931Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:41.860{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000930Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:41.860{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000929Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:41.860{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000928Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:41.860{928AB1BB-E349-60C1-0500-00000000C301}412428C:\Windows\system32\csrss.exe{928AB1BB-E3F5-60C1-D302-00000000C301}4888C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000927Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:41.860{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3F5-60C1-D302-00000000C301}4888C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000926Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:41.863{928AB1BB-E3F5-60C1-D302-00000000C301}4888C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{928AB1BB-E3F5-60C1-64FA-0E0000000000}0xefa640HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{928AB1BB-E35F-60C1-0C00-00000000C301}860C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x8000000000000000925Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:41.860{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000924Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:41.860{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000923Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:41.845{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000922Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:41.782{928AB1BB-E3CF-60C1-2002-00000000C301}3352NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=33A12110DD3E8FA15CC462739CC5A49D,SHA256=912FA8734FD20B073E6F2AF17BD0F873C5E43E705E2976BEAE88485D70C215D1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000921Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:41.750{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000920Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:41.750{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000919Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:41.750{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000918Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:41.750{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x8000000000000000917Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:39.630{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52417-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x8000000000000000916Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:39.630{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52417-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x8000000000000000915Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:39.622{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52416-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x8000000000000000914Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:39.622{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52416-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001000Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:41.666{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52424-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x8000000000000000999Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:41.666{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52424-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x8000000000000000998Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:41.663{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52423-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x8000000000000000997Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:41.663{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52423-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 10341000x8000000000000000996Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:42.771{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000995Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:42.771{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000994Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:42.771{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000993Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:42.771{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x8000000000000000992Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:40.657{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52422-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x8000000000000000991Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:40.657{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52422-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x8000000000000000990Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:40.654{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52421-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x8000000000000000989Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:40.654{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52421-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 10341000x8000000000000000988Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:42.174{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000987Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:42.174{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000986Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:42.174{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000985Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:42.127{928AB1BB-E3F5-60C1-D602-00000000C301}4800ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000984Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:41.986{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E3F5-60C1-D602-00000000C301}4800C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000983Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:41.986{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E3F5-60C1-D602-00000000C301}4800C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001009Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:43.791{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001008Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:43.791{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001007Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:43.791{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001006Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:43.791{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000001005Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:41.704{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse46.128.24.7946.128.24.79.dynamic.cablesurf.de52679-false10.0.1.14win-dc-365.attackrange.local5986- 354300x80000000000000001004Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:41.672{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52426-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001003Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:41.672{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52426-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001002Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:41.669{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52425-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001001Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:41.669{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52425-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 23542300x80000000000000001029Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:44.953{928AB1BB-E3CF-60C1-2002-00000000C301}3352NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4975A32A89057FB3EDCDAFDDC50565A6,SHA256=6D4D5E16864DD7E87C0397A33D8AE2863C5BBC481A41CF726D9D85DA00A1541A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001028Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:44.827{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001027Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:44.827{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001026Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:44.812{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001025Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:44.812{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000001024Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:43.700{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52434-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001023Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:43.697{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52433-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001022Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:43.697{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52433-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001021Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:43.694{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52432-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001020Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:43.694{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52432-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001019Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:43.272{928AB1BB-E35D-60C1-0B00-00000000C301}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-365.attackrange.local52431-true0:0:0:0:0:0:0:1win-dc-365.attackrange.local389ldap 354300x80000000000000001018Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:43.272{928AB1BB-E36F-60C1-2100-00000000C301}2464C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-365.attackrange.local52431-true0:0:0:0:0:0:0:1win-dc-365.attackrange.local389ldap 354300x80000000000000001017Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:42.687{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52430-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001016Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:42.687{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52430-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001015Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:42.684{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52429-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001014Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:42.684{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52429-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001013Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:42.681{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52428-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001012Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:42.681{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52428-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001011Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:42.679{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52427-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001010Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:42.679{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52427-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 10341000x80000000000000001043Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:45.848{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001042Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:45.848{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001041Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:45.848{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001040Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:45.848{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000001039Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:44.718{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52438-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001038Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:44.718{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52438-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001037Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:44.713{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52437-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001036Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:44.713{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52437-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001035Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:44.710{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52436-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001034Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:44.710{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52436-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001033Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:43.702{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52435-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001032Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:43.702{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52435-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001031Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:43.700{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52434-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 22542200x80000000000000001030Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:43.285{928AB1BB-E36F-60C1-2100-00000000C301}2464win-dc-365.attackrange.local0fe80::103f:51d:2a6e:90ce;fe80::1039:10bb:f5ff:fef1;2001:0:2851:782c:1039:10bb:f5ff:fef1;::ffff:10.0.1.14;C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe 10341000x80000000000000001053Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:46.868{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001052Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:46.868{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001051Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:46.868{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001050Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:46.868{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000001049Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:45.744{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52441-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001048Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:45.744{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52441-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001047Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:45.741{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52440-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001046Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:45.741{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52440-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001045Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:44.726{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52439-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001044Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:44.726{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52439-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001131Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:46.765{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52447-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001130Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:46.765{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52447-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001129Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:46.762{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52446-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001128Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:46.762{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52446-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001127Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:46.759{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52445-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001126Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:46.759{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52445-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001125Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:46.757{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52444-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001124Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:46.756{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52444-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 10341000x80000000000000001123Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:47.888{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001122Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:47.888{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001121Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:47.888{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001120Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:47.888{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000001119Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:45.750{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52443-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001118Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:45.750{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52443-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001117Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:45.747{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52442-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001116Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:45.747{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52442-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 10341000x80000000000000001115Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:47.480{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001114Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:47.480{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001113Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:47.480{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001112Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:47.433{928AB1BB-E3FB-60C1-DA02-00000000C301}4640ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001111Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:47.307{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E3FB-60C1-DA02-00000000C301}4640C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001110Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:47.307{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E3FB-60C1-DA02-00000000C301}4640C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x80000000000000001109Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-CreatePipe2021-06-10 10:05:47.292{928AB1BB-E3FB-60C1-DA02-00000000C301}4640\PSHost.132677931472409906.4640.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000001108Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:47.276{928AB1BB-E3FB-60C1-DA02-00000000C301}4640ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_nmlenjgt.tt0.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001107Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:47.276{928AB1BB-E3FB-60C1-DA02-00000000C301}4640ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_ltlrt00f.ux4.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001106Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:47.276{928AB1BB-E3FB-60C1-DA02-00000000C301}4640C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_ltlrt00f.ux4.ps12021-06-10 10:05:47.276 10341000x80000000000000001105Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:47.260{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3FB-60C1-DA02-00000000C301}4640C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001104Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:47.245{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001103Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:47.245{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001102Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:47.245{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001101Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:47.229{928AB1BB-E3FB-60C1-D802-00000000C301}47524768C:\Windows\system32\conhost.exe{928AB1BB-E3FB-60C1-DA02-00000000C301}4640C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001100Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:47.229{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001099Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:47.229{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001098Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:47.229{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001097Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:47.229{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001096Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:47.229{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001095Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:47.229{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001094Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:47.229{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001093Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:47.229{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001092Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:47.229{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001091Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:47.229{928AB1BB-E349-60C1-0500-00000000C301}412532C:\Windows\system32\csrss.exe{928AB1BB-E3FB-60C1-DA02-00000000C301}4640C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001090Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:47.229{928AB1BB-E3FB-60C1-D902-00000000C301}46364632C:\Windows\system32\cmd.exe{928AB1BB-E3FB-60C1-DA02-00000000C301}4640C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001089Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:47.240{928AB1BB-E3FB-60C1-DA02-00000000C301}4640C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUAC:\Users\Administrator\ATTACKRANGE\Administrator{928AB1BB-E3FB-60C1-8223-0F0000000000}0xf23820HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{928AB1BB-E3FB-60C1-D902-00000000C301}4636C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUA 10341000x80000000000000001088Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:47.229{928AB1BB-E3FB-60C1-D802-00000000C301}47524768C:\Windows\system32\conhost.exe{928AB1BB-E3FB-60C1-D902-00000000C301}4636C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001087Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:47.229{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001086Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:47.229{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001085Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:47.229{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001084Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:47.229{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001083Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:47.229{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001082Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:47.229{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001081Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:47.229{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001080Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:47.229{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001079Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:47.229{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001078Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:47.229{928AB1BB-E349-60C1-0500-00000000C301}412532C:\Windows\system32\csrss.exe{928AB1BB-E3FB-60C1-D902-00000000C301}4636C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001077Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:47.229{928AB1BB-E3FB-60C1-D702-00000000C301}47164652C:\Windows\system32\WinrsHost.exe{928AB1BB-E3FB-60C1-D902-00000000C301}4636C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b 154100x80000000000000001076Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:47.235{928AB1BB-E3FB-60C1-D902-00000000C301}4636C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUAC:\Users\Administrator\ATTACKRANGE\Administrator{928AB1BB-E3FB-60C1-8223-0F0000000000}0xf23820HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{928AB1BB-E3FB-60C1-D702-00000000C301}4716C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x80000000000000001075Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:47.229{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001074Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:47.229{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001073Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:47.229{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001072Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:47.198{928AB1BB-E35F-60C1-1300-00000000C301}9641504C:\Windows\system32\svchost.exe{928AB1BB-E3FB-60C1-D702-00000000C301}4716C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x80000000000000001071Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:47.198{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3FB-60C1-D702-00000000C301}4716C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001070Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:47.182{928AB1BB-E3FB-60C1-D802-00000000C301}47524768C:\Windows\system32\conhost.exe{928AB1BB-E3FB-60C1-D702-00000000C301}4716C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001069Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:47.182{928AB1BB-E349-60C1-0500-00000000C301}412532C:\Windows\system32\csrss.exe{928AB1BB-E3FB-60C1-D802-00000000C301}4752C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001068Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:47.182{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:47.182{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001066Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:47.182{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001065Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:47.182{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001064Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:47.182{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001063Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:47.182{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001062Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:47.182{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:47.166{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001060Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:47.166{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001059Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:47.166{928AB1BB-E349-60C1-0500-00000000C301}412500C:\Windows\system32\csrss.exe{928AB1BB-E3FB-60C1-D702-00000000C301}4716C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001058Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:47.166{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3FB-60C1-D702-00000000C301}4716C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001057Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:47.181{928AB1BB-E3FB-60C1-D702-00000000C301}4716C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{928AB1BB-E3FB-60C1-8223-0F0000000000}0xf23820HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{928AB1BB-E35F-60C1-0C00-00000000C301}860C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x80000000000000001056Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:47.166{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:47.166{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:47.166{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001136Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:48.908{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001135Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:48.908{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001134Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:48.908{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001133Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:48.908{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000001132Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:46.995{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse46.128.24.7946.128.24.79.dynamic.cablesurf.de52680-false10.0.1.14win-dc-365.attackrange.local5986- 10341000x80000000000000001148Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:49.929{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001147Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:49.929{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001146Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:49.929{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001145Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:49.929{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000001144Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:47.781{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52451-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001143Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:47.781{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52451-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001142Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:47.778{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52450-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001141Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:47.778{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52450-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001140Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:47.775{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52449-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001139Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:47.775{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52449-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001138Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:47.772{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52448-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001137Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:47.772{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52448-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 10341000x80000000000000001160Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:50.949{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001159Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:50.949{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001158Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:50.949{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001157Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:50.949{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000001156Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:48.797{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52455-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001155Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:48.797{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52455-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001154Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:48.794{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52454-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001153Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:48.794{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52454-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001152Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:48.791{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52453-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001151Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:48.791{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52453-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001150Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:48.788{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52452-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001149Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:48.788{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52452-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 10341000x80000000000000001172Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:51.969{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001171Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:51.969{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001170Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:51.969{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001169Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:51.969{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000001168Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:49.812{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52459-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001167Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:49.812{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52459-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001166Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:49.809{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52458-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001165Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:49.809{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52458-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001164Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:49.806{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52457-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001163Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:49.806{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52457-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001162Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:49.803{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52456-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001161Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:49.803{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52456-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 10341000x80000000000000001184Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:52.989{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001183Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:52.989{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001182Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:52.989{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000001181Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:50.828{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52463-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001180Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:50.828{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52463-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001179Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:50.825{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52462-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001178Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:50.825{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52462-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001177Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:50.822{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52461-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001176Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:50.822{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52461-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001175Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:50.819{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52460-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001174Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:50.819{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52460-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 23542300x80000000000000001173Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:52.047{928AB1BB-E3CF-60C1-2002-00000000C301}3352NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2FCDE698F53E886B3ADCC3EE04C79826,SHA256=45E1292CE1CCB0A4673965629EDB02E9156284AB2FEC938ABA016D6544821F48,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001187Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:51.835{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52464-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001186Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:51.835{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52464-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 10341000x80000000000000001185Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:52.989{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001208Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:54.260{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E36F-60C1-1F00-00000000C301}2448C:\Windows\system32\dns.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+304a5|C:\Windows\system32\lsasrv.dll+2e33b|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001207Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:54.260{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E36F-60C1-1F00-00000000C301}2448C:\Windows\system32\dns.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+304a5|C:\Windows\system32\lsasrv.dll+2e33b|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001206Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:54.009{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001205Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:54.009{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001204Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:54.009{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001203Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:54.009{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000001202Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:52.856{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52470-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001201Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:52.856{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52470-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001200Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:52.853{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52469-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001199Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:52.853{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52469-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001198Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:52.850{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52468-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001197Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:52.850{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52468-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001196Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:52.194{928AB1BB-E36F-60C1-1F00-00000000C301}2448C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-365.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-365.attackrange.local58179- 354300x80000000000000001195Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:52.193{928AB1BB-E36F-60C1-1F00-00000000C301}2448C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-365.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-365.attackrange.local60398- 354300x80000000000000001194Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:52.193{928AB1BB-E36F-60C1-1F00-00000000C301}2448C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-365.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-365.attackrange.local52587- 354300x80000000000000001193Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:51.843{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52467-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001192Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:51.843{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52467-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001191Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:51.841{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52466-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001190Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:51.841{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52466-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001189Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:51.838{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52465-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001188Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:51.838{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52465-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 10341000x80000000000000001284Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:55.861{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E403-60C1-DE02-00000000C301}3292C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001283Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:55.861{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E403-60C1-DE02-00000000C301}3292C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x80000000000000001282Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-CreatePipe2021-06-10 10:05:55.845{928AB1BB-E403-60C1-DE02-00000000C301}3292\PSHost.132677931557823372.3292.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000001281Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:55.829{928AB1BB-E403-60C1-DE02-00000000C301}3292ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_0skjmg2o.5pk.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001280Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:55.829{928AB1BB-E403-60C1-DE02-00000000C301}3292ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_nujpxxpw.eku.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001279Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:55.813{928AB1BB-E403-60C1-DE02-00000000C301}3292C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_nujpxxpw.eku.ps12021-06-10 10:05:55.813 10341000x80000000000000001278Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:55.798{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E403-60C1-DE02-00000000C301}3292C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001277Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:55.798{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001276Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:55.798{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001275Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:55.798{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001274Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:55.782{928AB1BB-E403-60C1-DC02-00000000C301}5202128C:\Windows\system32\conhost.exe{928AB1BB-E403-60C1-DE02-00000000C301}3292C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001273Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:55.782{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001272Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:55.782{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001271Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:55.782{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001270Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:55.782{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001269Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:55.782{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001268Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:55.782{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001267Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:55.782{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001266Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:55.782{928AB1BB-E349-60C1-0500-00000000C301}412532C:\Windows\system32\csrss.exe{928AB1BB-E403-60C1-DE02-00000000C301}3292C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001265Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:55.782{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001264Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:55.782{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001263Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:55.782{928AB1BB-E403-60C1-DD02-00000000C301}2660508C:\Windows\system32\cmd.exe{928AB1BB-E403-60C1-DE02-00000000C301}3292C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001262Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:55.782{928AB1BB-E403-60C1-DE02-00000000C301}3292C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUAC:\Users\Administrator\ATTACKRANGE\Administrator{928AB1BB-E403-60C1-1A51-0F0000000000}0xf511a0HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{928AB1BB-E403-60C1-DD02-00000000C301}2660C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUA 10341000x80000000000000001261Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:55.766{928AB1BB-E403-60C1-DC02-00000000C301}5202128C:\Windows\system32\conhost.exe{928AB1BB-E403-60C1-DD02-00000000C301}2660C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001260Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:55.766{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001259Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:55.766{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001258Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:55.766{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001257Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:55.766{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001256Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:55.766{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001255Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:55.766{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001254Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:55.766{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001253Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:55.766{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001252Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:55.766{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001251Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:55.766{928AB1BB-E349-60C1-0500-00000000C301}412532C:\Windows\system32\csrss.exe{928AB1BB-E403-60C1-DD02-00000000C301}2660C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001250Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:55.766{928AB1BB-E403-60C1-DB02-00000000C301}3432588C:\Windows\system32\WinrsHost.exe{928AB1BB-E403-60C1-DD02-00000000C301}2660C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b 154100x80000000000000001249Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:55.776{928AB1BB-E403-60C1-DD02-00000000C301}2660C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUAC:\Users\Administrator\ATTACKRANGE\Administrator{928AB1BB-E403-60C1-1A51-0F0000000000}0xf511a0HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{928AB1BB-E403-60C1-DB02-00000000C301}3432C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x80000000000000001248Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:55.766{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001247Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:55.766{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001246Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:55.766{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001245Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:55.735{928AB1BB-E35F-60C1-1300-00000000C301}9641256C:\Windows\system32\svchost.exe{928AB1BB-E403-60C1-DB02-00000000C301}3432C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x80000000000000001244Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:55.735{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E403-60C1-DB02-00000000C301}3432C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001243Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:55.719{928AB1BB-E403-60C1-DC02-00000000C301}5202128C:\Windows\system32\conhost.exe{928AB1BB-E403-60C1-DB02-00000000C301}3432C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001242Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:55.719{928AB1BB-E349-60C1-0500-00000000C301}412532C:\Windows\system32\csrss.exe{928AB1BB-E403-60C1-DC02-00000000C301}520C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001241Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:55.719{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001240Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:55.719{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001239Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:55.719{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001238Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:55.719{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001237Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:55.719{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001236Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:55.719{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001235Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:55.719{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001234Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:55.719{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001233Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:55.719{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001232Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:55.719{928AB1BB-E349-60C1-0500-00000000C301}412428C:\Windows\system32\csrss.exe{928AB1BB-E403-60C1-DB02-00000000C301}3432C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001231Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:55.719{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E403-60C1-DB02-00000000C301}3432C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001230Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:55.720{928AB1BB-E403-60C1-DB02-00000000C301}3432C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{928AB1BB-E403-60C1-1A51-0F0000000000}0xf511a0HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{928AB1BB-E35F-60C1-0C00-00000000C301}860C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 22542200x80000000000000001229Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:54.132{928AB1BB-E35D-60C1-0B00-00000000C301}632_ldap._tcp.attackrange.local.0type: 33 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000001228Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:54.132{928AB1BB-E35D-60C1-0B00-00000000C301}632_ldap._tcp.Default-First-Site-Name._sites.attackrange.local.0type: 33 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000001227Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:54.130{928AB1BB-E36F-60C1-1F00-00000000C301}2448win-dc-365.attackrange.local0fe80::103f:51d:2a6e:90ce;fe80::1039:10bb:f5ff:fef1;2001:0:2851:782c:1039:10bb:f5ff:fef1;::ffff:10.0.1.14;C:\Windows\System32\dns.exe 10341000x80000000000000001226Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:55.704{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001225Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:55.704{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001224Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:55.704{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001223Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:55.202{928AB1BB-E3CF-60C1-2002-00000000C301}3352NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Directory ServiceMD5=DD5DB6AE4F310E7348228AA711757E47,SHA256=4C6C2AD74448A26C19279DE04933FFCF1D726B56BA36EA3FDA137FDACB193259,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001222Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:53.876{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52475-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001221Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:53.876{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52475-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001220Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:53.872{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52474-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001219Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:53.872{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52474-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001218Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:53.869{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52473-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001217Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:53.869{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52473-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001216Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:53.866{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52472-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001215Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:53.866{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52472-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001214Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:52.859{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52471-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001213Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:52.859{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52471-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 10341000x80000000000000001212Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:55.029{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001211Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:55.029{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001210Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:55.029{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001209Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:55.029{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000001299Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:54.122{928AB1BB-E36F-60C1-1F00-00000000C301}2448C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-365.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-365.attackrange.local64521- 354300x80000000000000001298Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:54.121{928AB1BB-E36F-60C1-1F00-00000000C301}2448C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-365.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-365.attackrange.local56317- 354300x80000000000000001297Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:54.119{928AB1BB-E35D-60C1-0B00-00000000C301}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-365.attackrange.local52477-true0:0:0:0:0:0:0:1win-dc-365.attackrange.local389ldap 354300x80000000000000001296Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:54.119{928AB1BB-E36F-60C1-1F00-00000000C301}2448C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-365.attackrange.local52477-true0:0:0:0:0:0:0:1win-dc-365.attackrange.local389ldap 354300x80000000000000001295Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:54.118{928AB1BB-E36F-60C1-1F00-00000000C301}2448C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-365.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-365.attackrange.local62291- 354300x80000000000000001294Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:54.116{928AB1BB-E35D-60C1-0B00-00000000C301}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-365.attackrange.local52476-true0:0:0:0:0:0:0:1win-dc-365.attackrange.local389ldap 354300x80000000000000001293Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:54.116{928AB1BB-E36F-60C1-1F00-00000000C301}2448C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-365.attackrange.local52476-true0:0:0:0:0:0:0:1win-dc-365.attackrange.local389ldap 10341000x80000000000000001292Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:56.064{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:56.064{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:56.064{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:56.049{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001288Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:56.049{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001287Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:56.049{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001286Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:56.049{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000001285Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:56.017{928AB1BB-E403-60C1-DE02-00000000C301}3292ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001313Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:57.477{928AB1BB-E3CF-60C1-2002-00000000C301}3352NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=933595ECE5036917F1361714BA6DED4A,SHA256=F4927CD5467D4A82FF21BDBF1527B234A33466EB808EA6639AC1F0473E2553D4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001312Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:55.504{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse46.128.24.7946.128.24.79.dynamic.cablesurf.de52685-false10.0.1.14win-dc-365.attackrange.local5986- 354300x80000000000000001311Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:54.893{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52481-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001310Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:54.893{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52481-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001309Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:54.888{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52480-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001308Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:54.888{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52480-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001307Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:54.885{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52479-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001306Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:54.885{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52479-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001305Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:54.881{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52478-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001304Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:54.881{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52478-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 10341000x80000000000000001303Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:57.069{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001302Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:57.069{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001301Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:57.069{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001300Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:57.069{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000001334Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:58.983{928AB1BB-E3CF-60C1-2002-00000000C301}3352NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=93110C3BE58170F913CD9D3C1097F511,SHA256=FEA68FB34CFFCEE4D4CEAC381749577D5C1371C6218AC15A3EE8F596724A0F71,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001333Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:56.921{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52489-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001332Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:56.921{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52489-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001331Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:56.918{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52488-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001330Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:56.918{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52488-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001329Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:56.915{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52487-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001328Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:56.915{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52487-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001327Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:56.912{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52486-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001326Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:56.912{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52486-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001325Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:55.907{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52485-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001324Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:55.907{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52485-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001323Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:55.904{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52484-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001322Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:55.904{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52484-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001321Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:55.901{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52483-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001320Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:55.901{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52483-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001319Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:55.898{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52482-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001318Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:55.898{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52482-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 10341000x80000000000000001317Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:58.089{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001316Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:58.089{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001315Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:58.089{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001314Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:58.089{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000001346Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:57.937{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52493-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001345Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:57.937{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52493-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001344Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:57.934{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52492-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001343Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:57.934{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52492-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001342Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:57.931{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52491-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001341Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:57.931{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52491-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001340Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:57.928{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52490-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001339Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:57.928{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52490-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 10341000x80000000000000001338Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:59.108{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001337Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:59.108{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001336Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:59.108{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001335Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:59.108{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000001385Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:00.897{928AB1BB-E3CF-60C1-2002-00000000C301}3352NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=394A1360ACA7F99874B2F00CA2DD8173,SHA256=C390BF473B36062B39ABA9AF31AD2D96AFE6C62231FD338FF96BEB7D7B136AFE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001384Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:00.897{928AB1BB-E3C4-60C1-D101-00000000C301}37363700C:\Windows\system32\conhost.exe{928AB1BB-E408-60C1-E002-00000000C301}4484C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:00.897{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:00.897{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:00.897{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001380Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:00.897{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001379Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:00.897{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001378Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:00.897{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001377Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:00.897{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001376Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:00.897{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001375Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:00.897{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001374Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:00.897{928AB1BB-E349-60C1-0500-00000000C301}412532C:\Windows\system32\csrss.exe{928AB1BB-E408-60C1-E002-00000000C301}4484C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001373Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:00.897{928AB1BB-E3C4-60C1-CD01-00000000C301}37563340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{928AB1BB-E408-60C1-E002-00000000C301}4484C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001372Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:00.788{928AB1BB-E408-60C1-E002-00000000C301}4484C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{928AB1BB-E35D-60C1-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{928AB1BB-E3C4-60C1-CD01-00000000C301}3756C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001371Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:58.952{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52497-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001370Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:58.952{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52497-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001369Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:58.950{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52496-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001368Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:58.950{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52496-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001367Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:58.947{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52495-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001366Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:58.947{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52495-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001365Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:58.944{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52494-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001364Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:58.944{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52494-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 10341000x80000000000000001363Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:00.128{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001362Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:00.128{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001361Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:00.128{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001360Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:00.128{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001359Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:00.097{928AB1BB-E3C4-60C1-D101-00000000C301}37363700C:\Windows\system32\conhost.exe{928AB1BB-E407-60C1-DF02-00000000C301}4532C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001358Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:00.097{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001357Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:00.097{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001356Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:00.097{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001355Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:00.097{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001354Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:00.097{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001353Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:00.097{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001352Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:00.097{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001351Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:00.097{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001350Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:00.097{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001349Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:00.097{928AB1BB-E349-60C1-0500-00000000C301}412428C:\Windows\system32\csrss.exe{928AB1BB-E407-60C1-DF02-00000000C301}4532C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001348Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:00.097{928AB1BB-E3C4-60C1-CD01-00000000C301}37563340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{928AB1BB-E407-60C1-DF02-00000000C301}4532C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001347Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:59.988{928AB1BB-E407-60C1-DF02-00000000C301}4532C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{928AB1BB-E35D-60C1-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{928AB1BB-E3C4-60C1-CD01-00000000C301}3756C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001415Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:01.634{928AB1BB-E3CF-60C1-2002-00000000C301}3352NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9B52A2E5559FD12144265250308A5A61,SHA256=5C883BDD02442C8565ADD9FDCE516342DE6B88C2A54D6A8FDBE46CC39BA3D557,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001414Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:01.634{928AB1BB-E3C4-60C1-D101-00000000C301}37363700C:\Windows\system32\conhost.exe{928AB1BB-E409-60C1-E102-00000000C301}4552C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001413Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:01.634{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001412Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:01.634{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001411Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:01.634{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001410Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:01.634{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001409Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:01.634{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001408Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:01.634{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001407Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:01.634{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001406Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:01.634{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001405Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:01.634{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001404Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:01.634{928AB1BB-E349-60C1-0500-00000000C301}412532C:\Windows\system32\csrss.exe{928AB1BB-E409-60C1-E102-00000000C301}4552C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001403Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:01.634{928AB1BB-E3C4-60C1-CD01-00000000C301}37563340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{928AB1BB-E409-60C1-E102-00000000C301}4552C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001402Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:01.526{928AB1BB-E409-60C1-E102-00000000C301}4552C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{928AB1BB-E35D-60C1-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{928AB1BB-E3C4-60C1-CD01-00000000C301}3756C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001401Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:00.075{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52502-false93.184.220.29-80http 354300x80000000000000001400Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:00.071{928AB1BB-E36F-60C1-1F00-00000000C301}2448C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-365.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-365.attackrange.local52810- 354300x80000000000000001399Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:59.970{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52501-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001398Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:59.970{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52501-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001397Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:59.967{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52500-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001396Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:59.967{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52500-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001395Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:59.963{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52499-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001394Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:59.963{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52499-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001393Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:59.959{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52498-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001392Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:59.959{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52498-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001391Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:05:59.911{928AB1BB-E35F-60C1-1100-00000000C301}404C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-365.attackrange.local123ntpfalse51.105.208.173-123ntp 10341000x80000000000000001390Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:01.148{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001389Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:01.148{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001388Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:01.148{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001387Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:01.148{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001386Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:01.038{928AB1BB-E408-60C1-E002-00000000C301}44844372C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{928AB1BB-E3C4-60C1-CD01-00000000C301}3756C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001463Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:02.889{928AB1BB-E3CF-60C1-2002-00000000C301}3352NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=3D7AB2F194F7139FB5A2A62B0E120430,SHA256=02424DEADF23D0F72B88063F4BEC0EEF2B67875706E944DCFFF1349DA89B1E17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001462Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:02.889{928AB1BB-E3CF-60C1-2002-00000000C301}3352NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=09575189F9C681325DF8CE82C244535E,SHA256=DCCBF6AD946365E56B93D9A611C3FE0F279C2F8085448DC5EF282D5B96183D41,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001461Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:02.889{928AB1BB-E3C4-60C1-D101-00000000C301}37363700C:\Windows\system32\conhost.exe{928AB1BB-E40A-60C1-E302-00000000C301}4244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001460Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:02.889{928AB1BB-E3CF-60C1-2002-00000000C301}3352NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=6B75F38978B511CCC32345B870696E18,SHA256=40112DEE35DE046F1503F23FC761F31302A4B91124AA737722F941325155D6DD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001459Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:02.889{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:02.889{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:02.889{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:02.889{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:02.889{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:02.889{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:02.889{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:02.889{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:02.889{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:02.889{928AB1BB-E349-60C1-0500-00000000C301}412532C:\Windows\system32\csrss.exe{928AB1BB-E40A-60C1-E302-00000000C301}4244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001449Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:02.889{928AB1BB-E3C4-60C1-CD01-00000000C301}37563340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{928AB1BB-E40A-60C1-E302-00000000C301}4244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001448Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:02.891{928AB1BB-E40A-60C1-E302-00000000C301}4244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{928AB1BB-E35D-60C1-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{928AB1BB-E3C4-60C1-CD01-00000000C301}3756C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001447Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:02.481{928AB1BB-E40A-60C1-E202-00000000C301}43204328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{928AB1BB-E3C4-60C1-CD01-00000000C301}3756C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001446Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:02.434{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E3E9-60C1-AE02-00000000C301}2892C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24cea|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001445Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:02.434{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E3E9-60C1-AE02-00000000C301}2892C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001444Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:02.340{928AB1BB-E3C4-60C1-D101-00000000C301}37363700C:\Windows\system32\conhost.exe{928AB1BB-E40A-60C1-E202-00000000C301}4320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001443Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:02.340{928AB1BB-E3CF-60C1-2002-00000000C301}3352NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=0FA1B0E8A28339CBF5A878070FEBD295,SHA256=159DA43B3D5B0AAA3E5DD063C8D6223144EC6FF22A51C5770689A6EAE578CF50,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001442Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:02.340{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001441Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:02.340{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001440Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:02.340{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001439Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:02.340{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001438Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:02.340{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001437Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:02.340{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001436Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:02.340{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001435Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:02.340{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001434Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:02.340{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001433Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:02.340{928AB1BB-E349-60C1-0500-00000000C301}412500C:\Windows\system32\csrss.exe{928AB1BB-E40A-60C1-E202-00000000C301}4320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001432Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:02.340{928AB1BB-E3C4-60C1-CD01-00000000C301}37563340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{928AB1BB-E40A-60C1-E202-00000000C301}4320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001431Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:02.232{928AB1BB-E40A-60C1-E202-00000000C301}4320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{928AB1BB-E35D-60C1-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{928AB1BB-E3C4-60C1-CD01-00000000C301}3756C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001430Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:02.293{928AB1BB-E3E9-60C1-AE02-00000000C301}2892NT AUTHORITY\NETWORK SERVICEC:\Windows\system32\sppsvc.exeC:\Windows\System32\spp\store\2.0\cache\cache.datMD5=C0DA4DA5FFE24EC9B4AB194F9CF05BA3,SHA256=9ED7F60088AB1B6B41F03E144D4833AAAC27FC634FF66A6D9EA48E78B89C1F13,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001429Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:00.990{928AB1BB-E36F-60C1-1F00-00000000C301}2448C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-365.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-365.attackrange.local57724- 354300x80000000000000001428Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:00.990{928AB1BB-E36F-60C1-1F00-00000000C301}2448C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-365.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-365.attackrange.local55127- 354300x80000000000000001427Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:00.984{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52506-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001426Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:00.984{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52506-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001425Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:00.981{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52505-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001424Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:00.981{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52505-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001423Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:00.978{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52504-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001422Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:00.978{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52504-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001421Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:00.975{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52503-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001420Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:00.975{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52503-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 10341000x80000000000000001419Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:02.168{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001418Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:02.168{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001417Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:02.168{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001416Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:02.168{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001493Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:03.783{928AB1BB-E40B-60C1-E402-00000000C301}22922472C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{928AB1BB-E3C4-60C1-CD01-00000000C301}3756C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001492Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:03.658{928AB1BB-E3C4-60C1-D101-00000000C301}37363700C:\Windows\system32\conhost.exe{928AB1BB-E40B-60C1-E402-00000000C301}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001491Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:03.642{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001490Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:03.642{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001489Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:03.642{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001488Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:03.642{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001487Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:03.642{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001486Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:03.642{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001485Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:03.642{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001484Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:03.642{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001483Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:03.642{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001482Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:03.642{928AB1BB-E349-60C1-0500-00000000C301}412428C:\Windows\system32\csrss.exe{928AB1BB-E40B-60C1-E402-00000000C301}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001481Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:03.642{928AB1BB-E3C4-60C1-CD01-00000000C301}37563340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{928AB1BB-E40B-60C1-E402-00000000C301}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001480Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:03.535{928AB1BB-E40B-60C1-E402-00000000C301}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{928AB1BB-E35D-60C1-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{928AB1BB-E3C4-60C1-CD01-00000000C301}3756C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001479Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:03.532{928AB1BB-E3CF-60C1-2002-00000000C301}3352NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=DBDC4A9E44CD0D20B423B9D0208A18AE,SHA256=ECDD0A19B5CD6E6F32543C52811E7A93907C2370C02B1C0F11F1C8749E745E43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001478Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:03.532{928AB1BB-E3CF-60C1-2002-00000000C301}3352NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=189EA887D97C4DDFA46D01EA303DAF59,SHA256=B6B8FF49B90093B11A7A4C4D1D214B35511A231451CD83F5176DE9F0A415D582,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001477Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:03.532{928AB1BB-E3CF-60C1-2002-00000000C301}3352NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=3D7AB2F194F7139FB5A2A62B0E120430,SHA256=02424DEADF23D0F72B88063F4BEC0EEF2B67875706E944DCFFF1349DA89B1E17,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001476Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:01.999{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52510-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001475Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:01.999{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52510-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001474Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:01.996{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52509-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001473Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:01.996{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52509-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001472Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:01.993{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52508-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001471Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:01.993{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52508-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001470Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:01.990{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52507-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001469Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:01.990{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52507-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 10341000x80000000000000001468Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:03.187{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001467Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:03.187{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001466Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:03.187{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001465Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:03.187{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001464Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:03.015{928AB1BB-E40A-60C1-E302-00000000C301}42444168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{928AB1BB-E3C4-60C1-CD01-00000000C301}3756C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001506Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:03.015{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52514-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001505Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:03.014{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52514-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001504Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:03.012{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52513-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001503Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:03.012{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52513-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001502Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:03.009{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52512-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001501Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:03.009{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52512-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001500Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:03.006{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52511-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001499Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:03.006{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52511-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 23542300x80000000000000001498Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:04.301{928AB1BB-E3CF-60C1-2002-00000000C301}3352NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3536FC5CA2B67A8B29E62636E7D1E08A,SHA256=97DCA0D41B44ED756C619B7AFD97AB3F9ABC289E6F49D8FC70501632FC539625,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001497Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:04.207{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001496Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:04.207{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001495Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:04.207{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001494Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:04.207{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000001532Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:05.760{928AB1BB-E3CF-60C1-2002-00000000C301}3352NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4DE234472EE96A5BD1060C2BEE7B0546,SHA256=EF896C7D4BFBE1C035D9608D4124D0A817823A0B1A971A44922F560F14AD8D68,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001531Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:04.030{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52518-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001530Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:04.030{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52518-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001529Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:04.027{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52517-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001528Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:04.027{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52517-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001527Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:04.024{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52516-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001526Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:04.024{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52516-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001525Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:04.021{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52515-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001524Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:04.021{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52515-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 10341000x80000000000000001523Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:05.226{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001522Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:05.226{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001521Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:05.226{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001520Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:05.226{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001519Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:05.038{928AB1BB-E3C4-60C1-D101-00000000C301}37363700C:\Windows\system32\conhost.exe{928AB1BB-E40C-60C1-E502-00000000C301}4200C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:05.038{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:05.038{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:05.038{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:05.038{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:05.038{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001513Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:05.038{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001512Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:05.038{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001511Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:05.038{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001510Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:05.038{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001509Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:05.038{928AB1BB-E349-60C1-0500-00000000C301}412500C:\Windows\system32\csrss.exe{928AB1BB-E40C-60C1-E502-00000000C301}4200C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001508Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:05.038{928AB1BB-E3C4-60C1-CD01-00000000C301}37563340C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{928AB1BB-E40C-60C1-E502-00000000C301}4200C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001507Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:04.930{928AB1BB-E40C-60C1-E502-00000000C301}4200C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{928AB1BB-E35D-60C1-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{928AB1BB-E3C4-60C1-CD01-00000000C301}3756C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001545Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:05.046{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52522-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001544Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:05.045{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52522-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001543Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:05.043{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52521-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001542Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:05.043{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52521-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001541Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:05.040{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52520-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001540Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:05.040{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52520-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001539Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:05.037{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52519-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001538Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:05.037{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52519-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 23542300x80000000000000001537Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:06.309{928AB1BB-E3CF-60C1-2002-00000000C301}3352NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=874A440861E74D83739D16427FB88E5D,SHA256=6496E7EF9283C914D53688BDE222D07FEA8E045F5DF8045A6AAB09C204415B44,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001536Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:06.246{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001535Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:06.246{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001534Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:06.246{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001533Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:06.246{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 13241300x80000000000000001559Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-SetValue2021-06-10 10:06:07.909{928AB1BB-E35F-60C1-1100-00000000C301}404C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d75de0-0x3b4410b7) 23542300x80000000000000001558Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:07.720{928AB1BB-E3CF-60C1-2002-00000000C301}3352NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4703D8DC31C43C3C6A05E5C841A8C89E,SHA256=B82F9AA569F86FC2907999B9086F6C9362DBAA2E599BA68F610AE996E6BC1D2A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001557Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:06.061{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52526-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001556Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:06.061{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52526-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001555Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:06.059{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52525-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001554Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:06.059{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52525-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001553Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:06.056{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52524-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001552Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:06.056{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52524-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001551Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:06.053{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52523-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001550Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:06.053{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52523-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 10341000x80000000000000001549Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:07.266{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001548Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:07.266{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001547Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:07.266{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001546Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:07.266{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001590Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:08.991{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001589Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:08.991{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001588Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:08.991{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001587Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:08.991{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001586Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:08.991{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001585Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:08.991{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001584Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:08.991{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001583Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:08.991{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001582Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:08.991{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001581Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:08.991{928AB1BB-E349-60C1-0500-00000000C301}412532C:\Windows\system32\csrss.exe{928AB1BB-E410-60C1-E602-00000000C301}4952C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001580Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:08.991{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E410-60C1-E602-00000000C301}4952C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001579Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:08.995{928AB1BB-E410-60C1-E602-00000000C301}4952C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{928AB1BB-E410-60C1-65BD-0F0000000000}0xfbd650HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{928AB1BB-E35F-60C1-0C00-00000000C301}860C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x80000000000000001578Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:08.991{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001577Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:08.991{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001576Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:08.991{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001575Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:08.724{928AB1BB-E3CF-60C1-2002-00000000C301}3352NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=557ABB680B9C376B3A5DF95791F0C2A7,SHA256=3734CFE63FC4E29506400EC812F0C1DCB393622F9EDC8326CE18BE092514D04B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001574Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:07.209{928AB1BB-E36F-60C1-1F00-00000000C301}2448C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-365.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-365.attackrange.local62535- 354300x80000000000000001573Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:07.209{928AB1BB-E36F-60C1-1F00-00000000C301}2448C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-365.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-365.attackrange.local58511- 354300x80000000000000001572Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:07.208{928AB1BB-E36F-60C1-1F00-00000000C301}2448C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-365.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-365.attackrange.local53652- 354300x80000000000000001571Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:07.077{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52530-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001570Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:07.077{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52530-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001569Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:07.074{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52529-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001568Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:07.074{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52529-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001567Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:07.071{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52528-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001566Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:07.071{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52528-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001565Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:07.068{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52527-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001564Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:07.068{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52527-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 10341000x80000000000000001563Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:08.285{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001562Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:08.285{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001561Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:08.285{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001560Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:08.285{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000001650Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:08.093{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52534-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001649Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:08.093{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52534-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001648Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:08.090{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52533-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001647Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:08.090{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52533-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001646Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:08.087{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52532-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001645Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:08.087{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52532-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001644Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:08.084{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52531-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001643Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:08.084{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52531-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 23542300x80000000000000001642Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:09.477{928AB1BB-E3CF-60C1-2002-00000000C301}3352NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=35724E21152094732CED17B8763EC45E,SHA256=ADD398B8400C944F9EE77D45E95056DD96E1B7D907151819D95E491F266EBA38,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001641Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:09.305{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001640Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:09.305{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001639Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:09.305{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001638Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:09.305{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001637Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:09.305{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001636Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:09.305{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001635Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:09.305{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000001634Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:09.258{928AB1BB-E411-60C1-E902-00000000C301}4588ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001633Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:09.132{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E411-60C1-E902-00000000C301}4588C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001632Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:09.132{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E411-60C1-E902-00000000C301}4588C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x80000000000000001631Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-CreatePipe2021-06-10 10:06:09.116{928AB1BB-E411-60C1-E902-00000000C301}4588\PSHost.132677931690629992.4588.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000001630Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:09.101{928AB1BB-E411-60C1-E902-00000000C301}4588ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_nhkre2cq.ewy.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001629Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:09.101{928AB1BB-E411-60C1-E902-00000000C301}4588ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_ovqrqgmw.ah1.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001628Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:09.085{928AB1BB-E411-60C1-E902-00000000C301}4588C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_ovqrqgmw.ah1.ps12021-06-10 10:06:09.085 10341000x80000000000000001627Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:09.085{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E411-60C1-E902-00000000C301}4588C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001626Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:09.069{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001625Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:09.069{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001624Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:09.069{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001623Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:09.054{928AB1BB-E410-60C1-E702-00000000C301}49644792C:\Windows\system32\conhost.exe{928AB1BB-E411-60C1-E902-00000000C301}4588C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001622Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:09.054{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001621Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:09.054{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001620Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:09.054{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001619Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:09.054{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001618Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:09.054{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001617Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:09.054{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001616Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:09.054{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001615Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:09.054{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001614Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:09.054{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001613Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:09.054{928AB1BB-E349-60C1-0500-00000000C301}412428C:\Windows\system32\csrss.exe{928AB1BB-E411-60C1-E902-00000000C301}4588C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001612Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:09.054{928AB1BB-E411-60C1-E802-00000000C301}47604984C:\Windows\system32\cmd.exe{928AB1BB-E411-60C1-E902-00000000C301}4588C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001611Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:09.062{928AB1BB-E411-60C1-E902-00000000C301}4588C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUAC:\Users\Administrator\ATTACKRANGE\Administrator{928AB1BB-E410-60C1-65BD-0F0000000000}0xfbd650HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{928AB1BB-E411-60C1-E802-00000000C301}4760C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUA 10341000x80000000000000001610Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:09.054{928AB1BB-E410-60C1-E702-00000000C301}49644792C:\Windows\system32\conhost.exe{928AB1BB-E411-60C1-E802-00000000C301}4760C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001609Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:09.038{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001608Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:09.038{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001607Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:09.038{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001606Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:09.038{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001605Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:09.038{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001604Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:09.038{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001603Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:09.038{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001602Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:09.038{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001601Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:09.038{928AB1BB-E349-60C1-0500-00000000C301}412428C:\Windows\system32\csrss.exe{928AB1BB-E411-60C1-E802-00000000C301}4760C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001600Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:09.038{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001599Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:09.038{928AB1BB-E410-60C1-E602-00000000C301}49524696C:\Windows\system32\WinrsHost.exe{928AB1BB-E411-60C1-E802-00000000C301}4760C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b 154100x80000000000000001598Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:09.051{928AB1BB-E411-60C1-E802-00000000C301}4760C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUAC:\Users\Administrator\ATTACKRANGE\Administrator{928AB1BB-E410-60C1-65BD-0F0000000000}0xfbd650HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{928AB1BB-E410-60C1-E602-00000000C301}4952C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x80000000000000001597Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:09.038{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001596Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:09.038{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001595Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:09.038{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001594Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:09.022{928AB1BB-E35F-60C1-1300-00000000C301}9641504C:\Windows\system32\svchost.exe{928AB1BB-E410-60C1-E602-00000000C301}4952C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x80000000000000001593Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:09.007{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E410-60C1-E602-00000000C301}4952C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001592Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:09.007{928AB1BB-E410-60C1-E702-00000000C301}49644792C:\Windows\system32\conhost.exe{928AB1BB-E410-60C1-E602-00000000C301}4952C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001591Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:08.991{928AB1BB-E349-60C1-0500-00000000C301}412428C:\Windows\system32\csrss.exe{928AB1BB-E410-60C1-E702-00000000C301}4964C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 354300x80000000000000001663Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:09.109{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52539-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001662Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:09.108{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52539-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001661Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:09.106{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52538-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001660Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:09.106{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52538-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001659Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:09.103{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52537-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001658Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:09.103{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52537-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001657Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:09.099{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52536-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001656Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:09.099{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52536-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 10341000x80000000000000001655Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:10.324{928AB1BB-E35D-60C1-0B00-00000000C301}632676C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001654Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:10.324{928AB1BB-E35D-60C1-0B00-00000000C301}632676C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001653Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:10.324{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001652Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:10.324{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000001651Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:08.725{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse46.128.24.7946.128.24.79.dynamic.cablesurf.de52689-false10.0.1.14win-dc-365.attackrange.local5986- 354300x80000000000000001676Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:10.124{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52543-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001675Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:10.124{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52543-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 23542300x80000000000000001674Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:11.547{928AB1BB-E3CF-60C1-2002-00000000C301}3352NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=27E7F90B3F77DC937259DC88379DB244,SHA256=C6FAA6239C3CB44B0D5F61759C3FC881A5BE31A40B2B6F5121C3867666A4C530,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001673Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:10.121{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52542-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001672Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:10.121{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52542-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001671Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:10.118{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52541-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001670Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:10.118{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52541-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001669Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:10.115{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52540-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001668Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:10.115{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52540-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 10341000x80000000000000001667Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:11.343{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001666Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:11.343{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001665Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:11.343{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001664Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:11.343{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000001690Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:12.723{928AB1BB-E35F-60C1-1000-00000000C301}8NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=C00498E85A39EB6CB703D9A03D6556F0,SHA256=01C213EB7028420FED1045DD707BC46C01A76C92FE4B364205E22F637445799C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001689Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:11.139{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52547-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001688Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:11.139{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52547-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001687Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:11.137{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52546-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001686Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:11.137{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52546-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001685Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:11.134{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52545-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001684Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:11.134{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52545-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001683Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:11.131{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52544-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001682Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:11.131{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52544-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 10341000x80000000000000001681Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:12.363{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001680Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:12.363{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001679Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:12.363{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001678Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:12.363{928AB1BB-E35D-60C1-0B00-00000000C301}632676C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000001677Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:12.175{928AB1BB-E3CF-60C1-2002-00000000C301}3352NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3E428C3376EB59C06C9DB63D398FF58F,SHA256=4F8681FCBC89268F98A0453D88FF7A2C5CFD6C96A033BA4C16265953265282C6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001708Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:12.155{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52551-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001707Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:12.155{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52551-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 23542300x80000000000000001706Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:13.664{928AB1BB-E3CF-60C1-2002-00000000C301}3352NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C7705D6EC9B75F29D4D370C3B9138404,SHA256=B770792C3A0BEE72C9132314F11920D58D901C45FCBF5612F2490340610AE674,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001705Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:12.152{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52550-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001704Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:12.152{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52550-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001703Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:12.149{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52549-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001702Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:12.149{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52549-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001701Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:12.146{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52548-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001700Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:12.146{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52548-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 10341000x80000000000000001699Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:13.382{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001698Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:13.382{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001697Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:13.382{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001696Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:13.382{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001695Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:13.272{928AB1BB-E349-60C1-0500-00000000C301}412500C:\Windows\system32\csrss.exe{928AB1BB-E415-60C1-EA02-00000000C301}5052C:\Windows\system32\wermgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001694Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:13.272{928AB1BB-E35F-60C1-1600-00000000C301}12641924C:\Windows\system32\svchost.exe{928AB1BB-E415-60C1-EA02-00000000C301}5052C:\Windows\system32\wermgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a7a1|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+d395|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+e9dd|c:\windows\system32\UBPM.dll+e0a4|c:\windows\system32\UBPM.dll+11662|c:\windows\system32\EventAggregation.dll+3fae|c:\windows\system32\EventAggregation.dll+3ea1|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b55|C:\Windows\SYSTEM32\ntdll.dll+6585d|C:\Windows\SYSTEM32\ntdll.dll+656c0|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001693Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:13.272{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E35F-60C1-1600-00000000C301}1264C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001692Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:13.272{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E35F-60C1-1600-00000000C301}1264C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001691Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:13.194{928AB1BB-E3CF-60C1-2002-00000000C301}3352NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=AC7038F622D27DEBAB4BB3926CE0B31F,SHA256=6C3442EB38DFDB39BC309D5830AB39289E5A5F510EDDC9349214E98E6D9A2441,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001717Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:14.668{928AB1BB-E3CF-60C1-2002-00000000C301}3352NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DC68D681827EDC0A9FF0E161381E1372,SHA256=BDDB599521E7E73CA78AEE826368D4DE73942E5C230134F21A15577333C97BBF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001716Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:13.165{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52553-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001715Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:13.165{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52553-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001714Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:13.162{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52552-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001713Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:13.162{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52552-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 10341000x80000000000000001712Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:14.401{928AB1BB-E35D-60C1-0B00-00000000C301}632676C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001711Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:14.401{928AB1BB-E35D-60C1-0B00-00000000C301}632676C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001710Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:14.401{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001709Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:14.401{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001725Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:15.421{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001724Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:15.421{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001723Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:15.421{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001722Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:15.421{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000001721Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:13.171{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52555-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001720Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:13.171{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52555-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001719Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:13.168{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52554-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001718Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:13.168{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52554-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 23542300x80000000000000001744Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:16.785{928AB1BB-E3CF-60C1-2002-00000000C301}3352NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=181A3F31729F94F656589C6B4F61D319,SHA256=09EBF4998354BDE2204CC4BA4B0CB345B416251589C61313420A396144C5E319,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001743Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:15.198{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52562-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001742Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:15.198{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52562-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001741Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:15.196{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52561-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001740Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:15.196{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52561-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001739Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:15.193{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52560-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001738Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:15.193{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52560-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 10341000x80000000000000001737Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:16.440{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001736Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:16.440{928AB1BB-E35D-60C1-0B00-00000000C301}632676C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001735Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:16.440{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001734Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:16.440{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000001733Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:14.186{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52559-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001732Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:14.186{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52559-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001731Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:14.183{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52558-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001730Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:14.183{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52558-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001729Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:14.180{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52557-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001728Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:14.180{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52557-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001727Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:14.177{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52556-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001726Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:14.177{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52556-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 23542300x80000000000000001755Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:17.804{928AB1BB-E3CF-60C1-2002-00000000C301}3352NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=31FAAF20ECFEF0A615D43EA45FFEE692,SHA256=34CDA3281ECF5D601ACB1D051A7CFACDF7290B1A53DCC22D70A606FDDD2F047B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001754Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:16.212{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52565-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001753Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:16.212{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52565-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001752Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:16.209{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52564-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001751Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:16.208{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52564-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 10341000x80000000000000001750Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:17.459{928AB1BB-E35D-60C1-0B00-00000000C301}632676C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001749Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:17.459{928AB1BB-E35D-60C1-0B00-00000000C301}632676C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001748Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:17.459{928AB1BB-E35D-60C1-0B00-00000000C301}632676C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001747Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:17.459{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000001746Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:15.201{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52563-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001745Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:15.201{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52563-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001772Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:17.233{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52571-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001771Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:17.233{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52571-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 23542300x80000000000000001770Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:18.823{928AB1BB-E3CF-60C1-2002-00000000C301}3352NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6223C589D20A0AF582A896D03A61EDAA,SHA256=984976D9AAC4AFCC5F9D7D824A829D1BC7BEAE97DD82EE3FD4B009C45DFD800E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001769Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:17.230{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52570-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001768Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:17.230{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52570-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001767Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:17.227{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52569-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001766Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:17.227{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52569-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001765Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:17.224{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52568-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001764Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:17.224{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52568-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 10341000x80000000000000001763Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:18.478{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001762Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:18.478{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001761Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:18.478{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001760Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:18.478{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000001759Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:16.217{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52567-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001758Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:16.217{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52567-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001757Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:16.215{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52566-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001756Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:16.215{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52566-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 10341000x80000000000000001776Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:19.498{928AB1BB-E35D-60C1-0B00-00000000C301}632676C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001775Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:19.498{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001774Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:19.498{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001773Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:19.498{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001794Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:20.517{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001793Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:20.517{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001792Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:20.517{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001791Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:20.517{928AB1BB-E35D-60C1-0B00-00000000C301}632676C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000001790Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:19.261{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52578-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001789Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:19.261{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52578-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001788Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:19.258{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52577-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001787Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:19.258{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52577-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001786Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:19.255{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52576-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001785Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:19.255{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52576-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001784Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:18.248{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52575-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001783Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:18.248{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52575-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001782Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:18.245{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52574-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001781Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:18.245{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52574-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001780Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:18.243{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52573-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001779Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:18.243{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52573-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001778Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:18.240{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52572-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001777Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:18.240{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52572-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 10341000x80000000000000001865Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:21.912{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E41D-60C1-EE02-00000000C301}3308C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001864Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:21.912{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E41D-60C1-EE02-00000000C301}3308C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x80000000000000001863Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-CreatePipe2021-06-10 10:06:21.896{928AB1BB-E41D-60C1-EE02-00000000C301}3308\PSHost.132677931818451615.3308.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000001862Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:21.896{928AB1BB-E41D-60C1-EE02-00000000C301}3308ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_z5rejkai.oan.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001861Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:21.896{928AB1BB-E41D-60C1-EE02-00000000C301}3308ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_kxlt1pj5.teg.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001860Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:21.881{928AB1BB-E41D-60C1-EE02-00000000C301}3308C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_kxlt1pj5.teg.ps12021-06-10 10:06:21.881 10341000x80000000000000001859Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:21.865{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E41D-60C1-EE02-00000000C301}3308C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001858Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:21.849{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001857Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:21.849{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001856Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:21.849{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001855Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:21.834{928AB1BB-E41D-60C1-EC02-00000000C301}13802664C:\Windows\system32\conhost.exe{928AB1BB-E41D-60C1-EE02-00000000C301}3308C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001854Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:21.834{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001853Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:21.834{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001852Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:21.834{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001851Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:21.834{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001850Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:21.834{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001849Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:21.834{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001848Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:21.834{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001847Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:21.834{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001846Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:21.834{928AB1BB-E349-60C1-0500-00000000C301}412428C:\Windows\system32\csrss.exe{928AB1BB-E41D-60C1-EE02-00000000C301}3308C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001845Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:21.834{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001844Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:21.834{928AB1BB-E41D-60C1-ED02-00000000C301}45004480C:\Windows\system32\cmd.exe{928AB1BB-E41D-60C1-EE02-00000000C301}3308C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001843Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:21.845{928AB1BB-E41D-60C1-EE02-00000000C301}3308C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUAC:\Users\Administrator\ATTACKRANGE\Administrator{928AB1BB-E41D-60C1-48F8-0F0000000000}0xff8480HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{928AB1BB-E41D-60C1-ED02-00000000C301}4500C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUA 10341000x80000000000000001842Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:21.834{928AB1BB-E41D-60C1-EC02-00000000C301}13802664C:\Windows\system32\conhost.exe{928AB1BB-E41D-60C1-ED02-00000000C301}4500C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001841Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:21.834{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001840Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:21.834{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001839Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:21.834{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001838Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:21.834{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001837Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:21.834{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001836Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:21.834{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001835Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:21.834{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001834Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:21.834{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001833Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:21.834{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001832Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:21.834{928AB1BB-E349-60C1-0500-00000000C301}412428C:\Windows\system32\csrss.exe{928AB1BB-E41D-60C1-ED02-00000000C301}4500C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001831Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:21.834{928AB1BB-E41D-60C1-EB02-00000000C301}32684468C:\Windows\system32\WinrsHost.exe{928AB1BB-E41D-60C1-ED02-00000000C301}4500C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b 154100x80000000000000001830Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:21.838{928AB1BB-E41D-60C1-ED02-00000000C301}4500C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUAC:\Users\Administrator\ATTACKRANGE\Administrator{928AB1BB-E41D-60C1-48F8-0F0000000000}0xff8480HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{928AB1BB-E41D-60C1-EB02-00000000C301}3268C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x80000000000000001829Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:21.834{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001828Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:21.834{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001827Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:21.834{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001826Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:21.802{928AB1BB-E35F-60C1-1300-00000000C301}9641512C:\Windows\system32\svchost.exe{928AB1BB-E41D-60C1-EB02-00000000C301}3268C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x80000000000000001825Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:21.802{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E41D-60C1-EB02-00000000C301}3268C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001824Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:21.787{928AB1BB-E41D-60C1-EC02-00000000C301}13802664C:\Windows\system32\conhost.exe{928AB1BB-E41D-60C1-EB02-00000000C301}3268C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001823Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:21.787{928AB1BB-E349-60C1-0500-00000000C301}412428C:\Windows\system32\csrss.exe{928AB1BB-E41D-60C1-EC02-00000000C301}1380C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001822Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:21.771{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001821Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:21.771{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001820Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:21.771{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001819Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:21.771{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001818Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:21.771{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001817Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:21.771{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001816Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:21.771{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001815Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:21.771{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001814Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:21.771{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001813Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:21.771{928AB1BB-E349-60C1-0500-00000000C301}412500C:\Windows\system32\csrss.exe{928AB1BB-E41D-60C1-EB02-00000000C301}3268C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001812Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:21.771{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E41D-60C1-EB02-00000000C301}3268C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001811Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:21.783{928AB1BB-E41D-60C1-EB02-00000000C301}3268C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{928AB1BB-E41D-60C1-48F8-0F0000000000}0xff8480HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{928AB1BB-E35F-60C1-0C00-00000000C301}860C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x80000000000000001810Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:21.771{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001809Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:21.771{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001808Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:21.771{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001807Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:20.279{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52583-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001806Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:20.277{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52582-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001805Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:20.277{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52582-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001804Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:20.274{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52581-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001803Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:20.274{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52581-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001802Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:20.271{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52580-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001801Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:20.271{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52580-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 10341000x80000000000000001800Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:21.536{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001799Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:21.536{928AB1BB-E35D-60C1-0B00-00000000C301}632676C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001798Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:21.536{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001797Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:21.536{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000001796Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:19.264{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52579-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001795Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:19.264{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52579-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001876Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:21.286{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52584-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001875Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:21.286{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52584-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 10341000x80000000000000001874Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:22.555{928AB1BB-E35D-60C1-0B00-00000000C301}632676C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001873Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:22.555{928AB1BB-E35D-60C1-0B00-00000000C301}632676C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001872Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:22.555{928AB1BB-E35D-60C1-0B00-00000000C301}632676C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001871Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:22.555{928AB1BB-E35D-60C1-0B00-00000000C301}632676C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000001870Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:20.279{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52583-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 10341000x80000000000000001869Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:22.100{928AB1BB-E35D-60C1-0B00-00000000C301}632676C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001868Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:22.100{928AB1BB-E35D-60C1-0B00-00000000C301}632676C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001867Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:22.100{928AB1BB-E35D-60C1-0B00-00000000C301}632676C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001866Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:22.053{928AB1BB-E41D-60C1-EE02-00000000C301}3308ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001886Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:21.295{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52587-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001885Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:21.295{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52587-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001884Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:21.292{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52586-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001883Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:21.292{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52586-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001882Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:21.289{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52585-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001881Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:21.289{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52585-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 10341000x80000000000000001880Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:23.574{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001879Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:23.574{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001878Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:23.574{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001877Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:23.574{928AB1BB-E35D-60C1-0B00-00000000C301}632676C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000001907Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:23.327{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52595-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001906Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:23.327{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52595-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001905Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:23.324{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52594-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001904Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:23.324{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52594-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001903Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:23.321{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52593-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001902Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:23.321{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52593-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001901Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:23.318{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52592-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001900Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:23.318{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52592-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001899Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:22.311{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52591-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001898Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:22.311{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52591-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001897Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:22.308{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52590-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001896Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:22.308{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52590-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001895Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:22.305{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52589-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001894Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:22.305{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52589-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001893Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:22.302{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52588-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001892Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:22.302{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52588-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001891Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:21.468{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse46.128.24.7946.128.24.79.dynamic.cablesurf.de52697-false10.0.1.14win-dc-365.attackrange.local5986- 10341000x80000000000000001890Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:24.593{928AB1BB-E35D-60C1-0B00-00000000C301}632676C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001889Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:24.593{928AB1BB-E35D-60C1-0B00-00000000C301}632676C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001888Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:24.593{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001887Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:24.593{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000001913Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:24.333{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52596-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001912Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:24.333{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52596-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 10341000x80000000000000001911Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:25.612{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001910Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:25.612{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001909Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:25.612{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001908Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:25.612{928AB1BB-E35D-60C1-0B00-00000000C301}632676C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000001932Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:25.358{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52603-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001931Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:25.358{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52603-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001930Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:25.356{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52602-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001929Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:25.356{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52602-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001928Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:25.352{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52601-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001927Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:25.352{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52601-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001926Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:25.349{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52600-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001925Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:25.349{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52600-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001924Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:24.342{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52599-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001923Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:24.342{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52599-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001922Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:24.339{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52598-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001921Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:24.339{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52598-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001920Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:24.336{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52597-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001919Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:24.336{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52597-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 10341000x80000000000000001918Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:26.631{928AB1BB-E35D-60C1-0B00-00000000C301}632676C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001917Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:26.631{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+304a5|C:\Windows\system32\lsasrv.dll+2e33b|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001916Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:26.631{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001915Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:26.631{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001914Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:26.631{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000001944Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:26.375{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52607-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001943Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:26.375{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52607-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001942Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:26.371{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52606-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001941Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:26.371{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52606-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001940Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:26.368{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52605-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001939Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:26.368{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52605-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001938Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:26.365{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52604-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001937Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:26.365{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52604-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 10341000x80000000000000001936Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:27.650{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001935Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:27.650{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001934Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:27.650{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001933Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:27.650{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000001956Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:27.389{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52611-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001955Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:27.389{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52611-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001954Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:27.387{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52610-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 10341000x80000000000000001953Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:28.684{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000001952Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:27.387{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52610-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001951Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:27.384{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52609-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001950Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:27.383{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52609-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001949Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:27.380{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52608-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001948Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:27.380{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52608-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 10341000x80000000000000001947Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:28.668{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001946Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:28.668{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001945Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:28.668{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000001964Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:28.404{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52613-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001963Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:28.404{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52613-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001962Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:28.401{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52612-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001961Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:28.401{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52612-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 10341000x80000000000000001960Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:29.703{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001959Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:29.703{928AB1BB-E35D-60C1-0B00-00000000C301}632676C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001958Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:29.703{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001957Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:29.703{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000001974Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:29.427{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52616-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001973Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:29.427{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52616-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 10341000x80000000000000001972Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:30.723{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001971Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:30.723{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001970Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:30.723{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001969Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:30.723{928AB1BB-E35D-60C1-0B00-00000000C301}632676C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000001968Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:28.410{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52615-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001967Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:28.410{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52615-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001966Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:28.407{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52614-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001965Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:28.407{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52614-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001990Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:30.450{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52622-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001989Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:30.450{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52622-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001988Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:30.447{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52621-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001987Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:30.447{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52621-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001986Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:30.444{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52620-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001985Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:30.444{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52620-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 10341000x80000000000000001984Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:31.740{928AB1BB-E35D-60C1-0B00-00000000C301}632676C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001983Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:31.740{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001982Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:31.740{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001981Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:31.740{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000001980Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:29.436{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52619-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001979Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:29.436{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52619-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001978Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:29.433{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52618-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001977Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:29.433{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52618-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001976Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:29.430{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52617-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001975Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:29.430{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52617-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001998Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:31.457{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52624-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001997Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:31.457{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52624-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 10341000x80000000000000001996Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:32.761{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001995Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:32.761{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001994Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:32.761{928AB1BB-E35D-60C1-0B00-00000000C301}632676C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001993Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:32.761{928AB1BB-E35D-60C1-0B00-00000000C301}632676C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000001992Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:30.452{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52623-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001991Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:30.452{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52623-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002014Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:32.481{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52630-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002013Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:32.481{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52630-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002012Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:32.478{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52629-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002011Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:32.478{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52629-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002010Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:32.475{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52628-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002009Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:32.475{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52628-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 10341000x80000000000000002008Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:33.780{928AB1BB-E35D-60C1-0B00-00000000C301}632676C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002007Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:33.780{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002006Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:33.780{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002005Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:33.780{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000002004Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:31.466{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52627-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002003Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:31.466{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52627-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002002Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:31.463{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52626-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002001Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:31.463{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52626-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002000Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:31.460{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52625-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000001999Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:31.460{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52625-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002088Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:33.497{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52634-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002087Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:33.497{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52634-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002086Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:33.494{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52633-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002085Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:33.494{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52633-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002084Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:33.491{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52632-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002083Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:33.491{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52632-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 10341000x80000000000000002082Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:34.877{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002081Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:34.877{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002080Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:34.877{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000002079Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:34.830{928AB1BB-E42A-60C1-F202-00000000C301}4440ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002078Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:34.799{928AB1BB-E35D-60C1-0B00-00000000C301}632676C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002077Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:34.799{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002076Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:34.799{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002075Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:34.799{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002074Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:34.689{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E42A-60C1-F202-00000000C301}4440C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002073Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:34.689{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E42A-60C1-F202-00000000C301}4440C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x80000000000000002072Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-CreatePipe2021-06-10 10:06:34.673{928AB1BB-E42A-60C1-F202-00000000C301}4440\PSHost.132677931946247653.4440.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000002071Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:34.673{928AB1BB-E42A-60C1-F202-00000000C301}4440ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_zn45k2z1.mph.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002070Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:34.657{928AB1BB-E42A-60C1-F202-00000000C301}4440ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_aqdhgzq5.nwq.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002069Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:34.657{928AB1BB-E42A-60C1-F202-00000000C301}4440C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_aqdhgzq5.nwq.ps12021-06-10 10:06:34.657 10341000x80000000000000002068Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:34.642{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E42A-60C1-F202-00000000C301}4440C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002067Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:34.642{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002066Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:34.642{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002065Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:34.642{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002064Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:34.626{928AB1BB-E42A-60C1-F002-00000000C301}43364168C:\Windows\system32\conhost.exe{928AB1BB-E42A-60C1-F202-00000000C301}4440C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002063Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:34.610{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002062Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:34.610{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002061Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:34.610{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002060Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:34.610{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002059Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:34.610{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002058Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:34.610{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002057Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:34.610{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002056Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:34.610{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002055Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:34.610{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002054Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:34.610{928AB1BB-E349-60C1-0500-00000000C301}412532C:\Windows\system32\csrss.exe{928AB1BB-E42A-60C1-F202-00000000C301}4440C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002053Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:34.610{928AB1BB-E42A-60C1-F102-00000000C301}41644204C:\Windows\system32\cmd.exe{928AB1BB-E42A-60C1-F202-00000000C301}4440C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002052Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:34.624{928AB1BB-E42A-60C1-F202-00000000C301}4440C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUAC:\Users\Administrator\ATTACKRANGE\Administrator{928AB1BB-E42A-60C1-AA2B-100000000000}0x102baa0HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{928AB1BB-E42A-60C1-F102-00000000C301}4164C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUA 10341000x80000000000000002051Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:34.610{928AB1BB-E42A-60C1-F002-00000000C301}43364168C:\Windows\system32\conhost.exe{928AB1BB-E42A-60C1-F102-00000000C301}4164C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002050Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:34.610{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002049Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:34.610{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002048Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:34.610{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002047Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:34.610{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002046Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:34.610{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002045Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:34.610{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002044Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:34.610{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002043Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:34.610{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002042Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:34.610{928AB1BB-E349-60C1-0500-00000000C301}412532C:\Windows\system32\csrss.exe{928AB1BB-E42A-60C1-F102-00000000C301}4164C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002041Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:34.610{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002040Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:34.610{928AB1BB-E42A-60C1-EF02-00000000C301}43242888C:\Windows\system32\WinrsHost.exe{928AB1BB-E42A-60C1-F102-00000000C301}4164C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b 154100x80000000000000002039Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:34.619{928AB1BB-E42A-60C1-F102-00000000C301}4164C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUAC:\Users\Administrator\ATTACKRANGE\Administrator{928AB1BB-E42A-60C1-AA2B-100000000000}0x102baa0HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{928AB1BB-E42A-60C1-EF02-00000000C301}4324C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x80000000000000002038Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:34.610{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002037Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:34.610{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002036Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:34.610{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002035Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:34.579{928AB1BB-E35F-60C1-1300-00000000C301}9641512C:\Windows\system32\svchost.exe{928AB1BB-E42A-60C1-EF02-00000000C301}4324C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x80000000000000002034Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:34.579{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E42A-60C1-EF02-00000000C301}4324C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002033Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:34.563{928AB1BB-E42A-60C1-F002-00000000C301}43364168C:\Windows\system32\conhost.exe{928AB1BB-E42A-60C1-EF02-00000000C301}4324C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002032Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:34.563{928AB1BB-E349-60C1-0500-00000000C301}412532C:\Windows\system32\csrss.exe{928AB1BB-E42A-60C1-F002-00000000C301}4336C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002031Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:34.563{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002030Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:34.563{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002029Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:34.563{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002028Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:34.563{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002027Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:34.563{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002026Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:34.563{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002025Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:34.563{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002024Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:34.563{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002023Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:34.563{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002022Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:34.563{928AB1BB-E349-60C1-0500-00000000C301}412500C:\Windows\system32\csrss.exe{928AB1BB-E42A-60C1-EF02-00000000C301}4324C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002021Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:34.563{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E42A-60C1-EF02-00000000C301}4324C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002020Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:34.564{928AB1BB-E42A-60C1-EF02-00000000C301}4324C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{928AB1BB-E42A-60C1-AA2B-100000000000}0x102baa0HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{928AB1BB-E35F-60C1-0C00-00000000C301}860C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x80000000000000002019Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:34.548{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002018Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:34.548{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002017Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:34.548{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000002016Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:32.484{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52631-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002015Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:32.483{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52631-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 10341000x80000000000000002095Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:35.817{928AB1BB-E35D-60C1-0B00-00000000C301}632676C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002094Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:35.817{928AB1BB-E35D-60C1-0B00-00000000C301}632676C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002093Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:35.817{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002092Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:35.817{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000002091Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:34.206{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse46.128.24.7946.128.24.79.dynamic.cablesurf.de52704-false10.0.1.14win-dc-365.attackrange.local5986- 354300x80000000000000002090Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:33.500{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52635-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002089Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:33.500{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52635-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 10341000x80000000000000002107Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:36.836{928AB1BB-E35D-60C1-0B00-00000000C301}632676C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002106Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:36.836{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002105Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:36.836{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002104Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:36.836{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000002103Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:34.515{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52639-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002102Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:34.515{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52639-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002101Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:34.512{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52638-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002100Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:34.512{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52638-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002099Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:34.509{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52637-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002098Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:34.509{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52637-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002097Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:34.506{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52636-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002096Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:34.506{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52636-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 10341000x80000000000000002119Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:37.854{928AB1BB-E35D-60C1-0B00-00000000C301}632676C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002118Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:37.854{928AB1BB-E35D-60C1-0B00-00000000C301}632676C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002117Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:37.854{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002116Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:37.854{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000002115Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:35.530{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52643-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002114Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:35.530{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52643-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002113Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:35.528{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52642-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002112Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:35.528{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52642-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002111Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:35.525{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52641-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002110Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:35.525{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52641-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002109Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:35.522{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52640-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002108Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:35.522{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52640-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 10341000x80000000000000002143Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:38.873{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002142Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:38.873{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002141Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:38.873{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002140Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:38.873{928AB1BB-E35D-60C1-0B00-00000000C301}632676C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000002139Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:37.559{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52650-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002138Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:37.559{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52650-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002137Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:37.556{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52649-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002136Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:37.556{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52649-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002135Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:37.553{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52648-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002134Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:37.553{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52648-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 10341000x80000000000000002133Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:38.591{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E357-60C1-0700-00000000C301}488C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002132Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:38.591{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E357-60C1-0700-00000000C301}488C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002131Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:38.591{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E357-60C1-0700-00000000C301}488C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002130Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:38.591{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E357-60C1-0700-00000000C301}488C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002129Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:38.591{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E357-60C1-0700-00000000C301}488C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002128Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:38.591{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E357-60C1-0700-00000000C301}488C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000002127Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:36.547{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52647-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002126Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:36.547{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52647-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002125Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:36.544{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52646-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002124Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:36.544{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52646-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002123Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:36.541{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52645-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002122Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:36.541{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52645-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002121Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:36.538{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52644-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002120Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:36.538{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52644-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002155Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:38.575{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52654-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002154Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:38.575{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52654-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002153Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:38.572{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52653-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002152Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:38.572{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52653-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002151Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:38.569{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52652-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002150Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:38.569{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52652-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 10341000x80000000000000002149Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:39.892{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002148Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:39.892{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002147Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:39.892{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002146Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:39.892{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000002145Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:37.562{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52651-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002144Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:37.562{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52651-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 10341000x80000000000000002161Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:40.910{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002160Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:40.910{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002159Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:40.910{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002158Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:40.910{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000002157Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:38.578{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52655-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002156Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:38.578{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52655-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 10341000x80000000000000002173Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:41.929{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002172Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:41.929{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002171Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:41.929{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002170Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:41.929{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000002169Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:39.593{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52659-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002168Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:39.593{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52659-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002167Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:39.591{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52658-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002166Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:39.591{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52658-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002165Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:39.588{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52657-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002164Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:39.587{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52657-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002163Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:39.584{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52656-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002162Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:39.584{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52656-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 10341000x80000000000000002185Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:42.947{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002184Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:42.947{928AB1BB-E35D-60C1-0B00-00000000C301}632676C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002183Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:42.947{928AB1BB-E35D-60C1-0B00-00000000C301}632676C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002182Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:42.947{928AB1BB-E35D-60C1-0B00-00000000C301}632676C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000002181Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:40.609{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52663-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002180Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:40.609{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52663-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002179Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:40.606{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52662-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002178Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:40.606{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52662-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002177Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:40.603{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52661-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002176Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:40.603{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52661-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002175Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:40.600{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52660-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002174Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:40.600{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52660-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 10341000x80000000000000002197Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:43.966{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002196Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:43.966{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002195Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:43.966{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002194Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:43.966{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000002193Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:41.625{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52667-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002192Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:41.625{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52667-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002191Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:41.622{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52666-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002190Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:41.622{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52666-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002189Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:41.619{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52665-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002188Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:41.619{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52665-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002187Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:41.616{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52664-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002186Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:41.615{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52664-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 10341000x80000000000000002215Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:44.984{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002214Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:44.984{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002213Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:44.984{928AB1BB-E35D-60C1-0B00-00000000C301}632676C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002212Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:44.984{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000002211Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:43.650{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52674-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002210Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:43.650{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52674-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002209Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:43.647{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52673-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002208Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:43.647{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52673-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002207Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:43.286{928AB1BB-E35D-60C1-0B00-00000000C301}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-365.attackrange.local52672-true0:0:0:0:0:0:0:1win-dc-365.attackrange.local389ldap 354300x80000000000000002206Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:43.286{928AB1BB-E36F-60C1-2100-00000000C301}2464C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-365.attackrange.local52672-true0:0:0:0:0:0:0:1win-dc-365.attackrange.local389ldap 354300x80000000000000002205Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:42.640{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52671-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002204Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:42.640{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52671-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002203Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:42.637{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52670-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002202Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:42.637{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52670-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002201Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:42.634{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52669-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002200Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:42.634{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52669-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002199Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:42.631{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52668-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002198Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:42.631{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52668-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002219Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:43.657{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52676-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002218Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:43.657{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52676-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002217Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:43.653{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52675-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002216Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:43.653{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52675-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002231Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:44.671{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52680-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002230Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:44.671{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52680-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002229Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:44.668{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52679-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002228Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:44.668{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52679-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 10341000x80000000000000002227Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:46.018{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000002226Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:44.665{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52678-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002225Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:44.665{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52678-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002224Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:44.662{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52677-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002223Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:44.662{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52677-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 10341000x80000000000000002222Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:46.003{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002221Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:46.003{928AB1BB-E35D-60C1-0B00-00000000C301}632676C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002220Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:46.003{928AB1BB-E35D-60C1-0B00-00000000C301}632676C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002301Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:47.992{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E437-60C1-F602-00000000C301}4600C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002300Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:47.992{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E437-60C1-F602-00000000C301}4600C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x80000000000000002299Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-CreatePipe2021-06-10 10:06:47.977{928AB1BB-E437-60C1-F602-00000000C301}4600\PSHost.132677932079194186.4600.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000002298Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:47.961{928AB1BB-E437-60C1-F602-00000000C301}4600ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_2blwsl52.frf.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002297Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:47.961{928AB1BB-E437-60C1-F602-00000000C301}4600ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_re4nu0zb.tik.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002296Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:47.945{928AB1BB-E437-60C1-F602-00000000C301}4600C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_re4nu0zb.tik.ps12021-06-10 10:06:47.945 10341000x80000000000000002295Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:47.945{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E437-60C1-F602-00000000C301}4600C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002294Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:47.930{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002293Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:47.930{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002292Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:47.930{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002291Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:47.914{928AB1BB-E437-60C1-F402-00000000C301}42924940C:\Windows\system32\conhost.exe{928AB1BB-E437-60C1-F602-00000000C301}4600C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002290Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:47.914{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002289Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:47.914{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002288Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:47.914{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002287Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:47.914{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002286Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:47.914{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002285Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:47.914{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002284Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:47.914{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002283Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:47.914{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002282Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:47.914{928AB1BB-E349-60C1-0500-00000000C301}412500C:\Windows\system32\csrss.exe{928AB1BB-E437-60C1-F602-00000000C301}4600C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002281Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:47.914{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002280Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:47.914{928AB1BB-E437-60C1-F502-00000000C301}51005080C:\Windows\system32\cmd.exe{928AB1BB-E437-60C1-F602-00000000C301}4600C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002279Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:47.919{928AB1BB-E437-60C1-F602-00000000C301}4600C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUAC:\Users\Administrator\ATTACKRANGE\Administrator{928AB1BB-E437-60C1-8860-100000000000}0x1060880HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{928AB1BB-E437-60C1-F502-00000000C301}5100C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUA 10341000x80000000000000002278Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:47.914{928AB1BB-E437-60C1-F402-00000000C301}42924940C:\Windows\system32\conhost.exe{928AB1BB-E437-60C1-F502-00000000C301}5100C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002277Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:47.914{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002276Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:47.914{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002275Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:47.914{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002274Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:47.914{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002273Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:47.914{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002272Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:47.914{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002271Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:47.914{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002270Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:47.898{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002269Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:47.898{928AB1BB-E349-60C1-0500-00000000C301}412500C:\Windows\system32\csrss.exe{928AB1BB-E437-60C1-F502-00000000C301}5100C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002268Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:47.898{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002267Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:47.898{928AB1BB-E437-60C1-F302-00000000C301}48564612C:\Windows\system32\WinrsHost.exe{928AB1BB-E437-60C1-F502-00000000C301}5100C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b 154100x80000000000000002266Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:47.913{928AB1BB-E437-60C1-F502-00000000C301}5100C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUAC:\Users\Administrator\ATTACKRANGE\Administrator{928AB1BB-E437-60C1-8860-100000000000}0x1060880HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{928AB1BB-E437-60C1-F302-00000000C301}4856C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x80000000000000002265Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:47.898{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002264Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:47.898{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002263Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:47.898{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002262Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:47.883{928AB1BB-E35F-60C1-1300-00000000C301}9641504C:\Windows\system32\svchost.exe{928AB1BB-E437-60C1-F302-00000000C301}4856C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x80000000000000002261Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:47.867{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E437-60C1-F302-00000000C301}4856C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002260Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:47.867{928AB1BB-E437-60C1-F402-00000000C301}42924940C:\Windows\system32\conhost.exe{928AB1BB-E437-60C1-F302-00000000C301}4856C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002259Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:47.851{928AB1BB-E349-60C1-0500-00000000C301}412500C:\Windows\system32\csrss.exe{928AB1BB-E437-60C1-F402-00000000C301}4292C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002258Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:47.851{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002257Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:47.851{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002256Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:47.851{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002255Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:47.851{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002254Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:47.851{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002253Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:47.851{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002252Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:47.851{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002251Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:47.851{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002250Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:47.851{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002249Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:47.851{928AB1BB-E349-60C1-0500-00000000C301}412428C:\Windows\system32\csrss.exe{928AB1BB-E437-60C1-F302-00000000C301}4856C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002248Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:47.851{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E437-60C1-F302-00000000C301}4856C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002247Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:47.858{928AB1BB-E437-60C1-F302-00000000C301}4856C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{928AB1BB-E437-60C1-8860-100000000000}0x1060880HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{928AB1BB-E35F-60C1-0C00-00000000C301}860C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x80000000000000002246Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:47.851{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002245Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:47.851{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002244Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:47.851{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000002243Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:45.687{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52684-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002242Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:45.687{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52684-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002241Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:45.685{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52683-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002240Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:45.684{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52683-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002239Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:45.681{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52682-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002238Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:45.681{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52682-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002237Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:45.678{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52681-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002236Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:45.678{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52681-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 10341000x80000000000000002235Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:47.037{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002234Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:47.037{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002233Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:47.037{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002232Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:47.037{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000002318Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:47.457{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse46.128.24.7946.128.24.79.dynamic.cablesurf.de52710-false10.0.1.14win-dc-365.attackrange.local5986- 354300x80000000000000002317Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:46.718{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52688-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002316Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:46.718{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52688-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002315Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:46.715{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52687-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002314Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:46.715{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52687-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 10341000x80000000000000002313Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:48.227{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002312Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:48.227{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002311Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:48.227{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000002310Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:48.118{928AB1BB-E437-60C1-F602-00000000C301}4600ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002309Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:46.712{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52686-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002308Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:46.712{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52686-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002307Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:46.709{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52685-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002306Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:46.709{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52685-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 10341000x80000000000000002305Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:48.055{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002304Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:48.055{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002303Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:48.055{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002302Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:48.055{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000002330Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:47.733{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52692-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002329Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:47.733{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52692-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002328Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:47.731{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52691-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002327Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:47.730{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52691-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002326Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:47.728{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52690-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002325Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:47.728{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52690-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002324Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:47.725{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52689-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002323Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:47.725{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52689-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 10341000x80000000000000002322Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:49.073{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002321Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:49.073{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002320Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:49.073{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002319Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:49.073{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000002338Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:48.743{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52694-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002337Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:48.743{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52694-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002336Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:48.740{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52693-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002335Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:48.740{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52693-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 10341000x80000000000000002334Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:50.092{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002333Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:50.092{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002332Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:50.092{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002331Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:50.092{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000002352Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:49.762{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52699-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002351Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:49.762{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52699-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002350Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:49.759{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52698-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002349Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:49.759{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52698-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002348Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:49.756{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52697-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002347Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:49.756{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52697-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 10341000x80000000000000002346Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:51.110{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002345Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:51.110{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002344Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:51.110{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002343Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:51.110{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000002342Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:48.749{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52696-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002341Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:48.749{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52696-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002340Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:48.746{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52695-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002339Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:48.746{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52695-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 10341000x80000000000000002365Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:52.410{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E36F-60C1-1F00-00000000C301}2448C:\Windows\system32\dns.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+304a5|C:\Windows\system32\lsasrv.dll+2e33b|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000002364Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:50.778{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52703-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002363Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:50.778{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52703-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002362Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:50.774{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52702-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002361Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:50.774{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52702-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002360Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:50.771{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52701-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002359Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:50.771{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52701-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 10341000x80000000000000002358Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:52.128{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002357Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:52.128{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002356Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:52.128{928AB1BB-E35D-60C1-0B00-00000000C301}632676C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002355Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:52.128{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000002354Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:49.765{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52700-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002353Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:49.765{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52700-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002379Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:51.796{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52708-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002378Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:51.796{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52708-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002377Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:51.793{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52707-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002376Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:51.793{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52707-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002375Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:51.790{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52706-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002374Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:51.790{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52706-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002373Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:51.787{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52705-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002372Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:51.787{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52705-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 10341000x80000000000000002371Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:53.147{928AB1BB-E35D-60C1-0B00-00000000C301}632676C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002370Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:53.147{928AB1BB-E35D-60C1-0B00-00000000C301}632676C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002369Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:53.147{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002368Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:53.147{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000002367Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:50.780{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52704-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002366Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:50.780{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52704-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 10341000x80000000000000002389Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:54.165{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002388Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:54.165{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002387Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:54.165{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002386Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:54.165{928AB1BB-E35D-60C1-0B00-00000000C301}632676C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000002385Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:52.806{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52711-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002384Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:52.806{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52711-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002383Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:52.803{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52710-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002382Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:52.803{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52710-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002381Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:52.073{928AB1BB-E35D-60C1-0B00-00000000C301}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52709-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local389ldap 354300x80000000000000002380Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:52.073{928AB1BB-E36F-60C1-1F00-00000000C301}2448C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52709-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local389ldap 354300x80000000000000002405Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:53.828{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52717-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002404Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:53.828{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52717-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002403Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:53.825{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52716-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002402Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:53.825{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52716-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002401Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:53.822{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52715-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002400Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:53.822{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52715-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002399Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:53.818{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52714-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002398Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:53.818{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52714-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002397Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:52.812{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52713-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002396Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:52.812{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52713-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002395Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:52.809{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52712-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002394Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:52.809{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52712-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 10341000x80000000000000002393Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:55.183{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002392Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:55.183{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002391Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:55.183{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002390Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:55.183{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000002415Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:54.840{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52720-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002414Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:54.840{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52720-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002413Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:54.837{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52719-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002412Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:54.837{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52719-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002411Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:54.834{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52718-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002410Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:54.834{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52718-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 10341000x80000000000000002409Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:56.201{928AB1BB-E35D-60C1-0B00-00000000C301}632676C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002408Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:56.201{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002407Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:56.201{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002406Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:56.201{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000002429Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:55.858{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52725-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002428Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:55.858{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52725-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002427Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:55.855{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52724-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002426Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:55.855{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52724-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002425Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:55.852{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52723-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002424Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:55.852{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52723-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002423Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:55.849{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52722-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002422Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:55.849{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52722-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002421Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:54.843{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52721-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002420Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:54.843{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52721-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 10341000x80000000000000002419Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:57.219{928AB1BB-E35D-60C1-0B00-00000000C301}632676C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002418Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:57.219{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002417Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:57.219{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002416Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:57.219{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000002439Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:56.871{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52728-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002438Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:56.871{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52728-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002437Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:56.868{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52727-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002436Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:56.868{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52727-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002435Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:56.865{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52726-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002434Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:56.865{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52726-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 10341000x80000000000000002433Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:58.253{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002432Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:58.238{928AB1BB-E35D-60C1-0B00-00000000C301}632676C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002431Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:58.238{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002430Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:58.238{928AB1BB-E35D-60C1-0B00-00000000C301}632676C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000002451Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:57.890{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52732-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002450Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:57.890{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52732-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002449Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:57.884{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52731-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002448Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:57.884{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52731-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002447Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:57.880{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52730-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002446Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:57.880{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52730-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002445Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:56.873{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52729-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002444Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:56.873{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52729-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 10341000x80000000000000002443Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:59.271{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002442Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:59.271{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002441Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:59.271{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002440Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:59.271{928AB1BB-E35D-60C1-0B00-00000000C301}632676C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002521Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:00.947{928AB1BB-E35D-60C1-0B00-00000000C301}632676C:\Windows\system32\lsass.exe{928AB1BB-E444-60C1-FA02-00000000C301}984C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002520Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:00.947{928AB1BB-E35D-60C1-0B00-00000000C301}632676C:\Windows\system32\lsass.exe{928AB1BB-E444-60C1-FA02-00000000C301}984C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x80000000000000002519Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-CreatePipe2021-06-10 10:07:00.916{928AB1BB-E444-60C1-FA02-00000000C301}984\PSHost.132677932208738916.984.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000002518Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:00.916{928AB1BB-E444-60C1-FA02-00000000C301}984ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_dhg0eczw.hmd.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002517Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:00.916{928AB1BB-E444-60C1-FA02-00000000C301}984ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_cfdfid51.nsf.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002516Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:00.900{928AB1BB-E444-60C1-FA02-00000000C301}984C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_cfdfid51.nsf.ps12021-06-10 10:07:00.900 10341000x80000000000000002515Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:00.900{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E444-60C1-FA02-00000000C301}984C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002514Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:00.885{928AB1BB-E35D-60C1-0B00-00000000C301}632676C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002513Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:00.885{928AB1BB-E35D-60C1-0B00-00000000C301}632676C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002512Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:00.885{928AB1BB-E35D-60C1-0B00-00000000C301}632676C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002511Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:00.869{928AB1BB-E444-60C1-F802-00000000C301}12004724C:\Windows\system32\conhost.exe{928AB1BB-E444-60C1-FA02-00000000C301}984C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002510Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:00.869{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002509Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:00.869{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002508Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:00.869{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002507Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:00.869{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002506Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:00.869{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002505Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:00.869{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002504Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:00.869{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002503Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:00.869{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002502Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:00.869{928AB1BB-E349-60C1-0500-00000000C301}412428C:\Windows\system32\csrss.exe{928AB1BB-E444-60C1-FA02-00000000C301}984C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002501Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:00.869{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002500Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:00.869{928AB1BB-E444-60C1-F902-00000000C301}38363040C:\Windows\system32\cmd.exe{928AB1BB-E444-60C1-FA02-00000000C301}984C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002499Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:00.873{928AB1BB-E444-60C1-FA02-00000000C301}984C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUAC:\Users\Administrator\ATTACKRANGE\Administrator{928AB1BB-E444-60C1-8F95-100000000000}0x10958f0HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{928AB1BB-E444-60C1-F902-00000000C301}3836C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUA 10341000x80000000000000002498Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:00.869{928AB1BB-E444-60C1-F802-00000000C301}12004724C:\Windows\system32\conhost.exe{928AB1BB-E444-60C1-F902-00000000C301}3836C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002497Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:00.869{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002496Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:00.869{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002495Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:00.869{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002494Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:00.869{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002493Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:00.853{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002492Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:00.853{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002491Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:00.853{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002490Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:00.853{928AB1BB-E349-60C1-0500-00000000C301}412428C:\Windows\system32\csrss.exe{928AB1BB-E444-60C1-F902-00000000C301}3836C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002489Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:00.853{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002488Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:00.853{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002487Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:00.853{928AB1BB-E444-60C1-F702-00000000C301}27403168C:\Windows\system32\WinrsHost.exe{928AB1BB-E444-60C1-F902-00000000C301}3836C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b 154100x80000000000000002486Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:00.868{928AB1BB-E444-60C1-F902-00000000C301}3836C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUAC:\Users\Administrator\ATTACKRANGE\Administrator{928AB1BB-E444-60C1-8F95-100000000000}0x10958f0HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{928AB1BB-E444-60C1-F702-00000000C301}2740C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x80000000000000002485Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:00.853{928AB1BB-E35D-60C1-0B00-00000000C301}632676C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002484Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:00.853{928AB1BB-E35D-60C1-0B00-00000000C301}632676C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002483Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:00.853{928AB1BB-E35D-60C1-0B00-00000000C301}632676C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002482Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:00.838{928AB1BB-E35F-60C1-1300-00000000C301}9641504C:\Windows\system32\svchost.exe{928AB1BB-E444-60C1-F702-00000000C301}2740C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x80000000000000002481Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:00.822{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E444-60C1-F702-00000000C301}2740C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002480Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:00.822{928AB1BB-E444-60C1-F802-00000000C301}12004724C:\Windows\system32\conhost.exe{928AB1BB-E444-60C1-F702-00000000C301}2740C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002479Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:00.806{928AB1BB-E349-60C1-0500-00000000C301}412428C:\Windows\system32\csrss.exe{928AB1BB-E444-60C1-F802-00000000C301}1200C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002478Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:00.806{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002477Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:00.806{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002476Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:00.806{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002475Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:00.806{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002474Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:00.806{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002473Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:00.806{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002472Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:00.806{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002471Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:00.806{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002470Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:00.806{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002469Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:00.806{928AB1BB-E349-60C1-0500-00000000C301}412532C:\Windows\system32\csrss.exe{928AB1BB-E444-60C1-F702-00000000C301}2740C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002468Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:00.806{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E444-60C1-F702-00000000C301}2740C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002467Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:00.812{928AB1BB-E444-60C1-F702-00000000C301}2740C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{928AB1BB-E444-60C1-8F95-100000000000}0x10958f0HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{928AB1BB-E35F-60C1-0C00-00000000C301}860C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x80000000000000002466Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:00.806{928AB1BB-E35D-60C1-0B00-00000000C301}632676C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002465Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:00.806{928AB1BB-E35D-60C1-0B00-00000000C301}632676C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002464Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:00.806{928AB1BB-E35D-60C1-0B00-00000000C301}632676C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000002463Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:58.917{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52736-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002462Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:58.917{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52736-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002461Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:58.915{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52735-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002460Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:58.915{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52735-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002459Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:58.912{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52734-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002458Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:58.912{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52734-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002457Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:57.896{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52733-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002456Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:57.896{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52733-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 10341000x80000000000000002455Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:00.290{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002454Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:00.290{928AB1BB-E35D-60C1-0B00-00000000C301}632676C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002453Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:00.290{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002452Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:00.290{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000002537Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:59.933{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52740-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002536Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:59.933{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52740-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002535Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:59.930{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52739-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002534Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:59.930{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52739-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002533Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:59.927{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52738-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002532Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:59.927{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52738-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002531Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:58.920{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52737-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002530Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:58.920{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52737-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 10341000x80000000000000002529Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:01.308{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002528Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:01.308{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002527Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:01.308{928AB1BB-E35D-60C1-0B00-00000000C301}632676C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002526Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:01.308{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002525Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:01.167{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002524Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:01.167{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002523Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:01.167{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000002522Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:01.073{928AB1BB-E444-60C1-FA02-00000000C301}984ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002545Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:02.326{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002544Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:02.326{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002543Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:02.326{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002542Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:02.326{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000002541Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:00.943{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52742-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002540Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:00.372{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse46.128.24.7946.128.24.79.dynamic.cablesurf.de52712-false10.0.1.14win-dc-365.attackrange.local5986- 354300x80000000000000002539Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:59.936{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52741-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002538Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:06:59.936{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52741-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002560Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:01.961{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52747-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002559Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:01.961{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52747-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002558Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:01.958{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52746-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002557Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:01.958{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52746-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002556Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:00.952{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52745-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002555Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:00.952{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52745-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002554Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:00.949{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52744-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002553Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:00.949{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52744-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002552Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:00.946{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52743-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002551Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:00.946{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52743-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002550Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:00.943{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52742-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 10341000x80000000000000002549Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:03.344{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002548Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:03.344{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002547Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:03.344{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002546Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:03.344{928AB1BB-E35D-60C1-0B00-00000000C301}632852C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000002572Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:02.977{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52751-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002571Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:02.977{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52751-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002570Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:02.974{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52750-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002569Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:02.974{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52750-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002568Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:01.967{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52749-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002567Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:01.967{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52749-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002566Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:01.964{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52748-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002565Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:01.964{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52748-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 10341000x80000000000000002564Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:04.362{928AB1BB-E35D-60C1-0B00-00000000C301}632676C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002563Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:04.362{928AB1BB-E35D-60C1-0B00-00000000C301}632676C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002562Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:04.362{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002561Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:04.362{928AB1BB-E35D-60C1-0B00-00000000C301}632676C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000002586Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:03.995{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52756-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002585Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:03.995{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52756-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002584Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:03.993{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52755-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002583Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:03.993{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52755-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002582Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:03.990{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52754-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002581Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:03.989{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52754-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002580Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:02.983{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52753-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002579Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:02.983{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52753-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002578Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:02.980{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52752-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002577Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:02.980{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52752-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 10341000x80000000000000002576Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:05.380{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002575Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:05.380{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002574Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:05.380{928AB1BB-E35D-60C1-0B00-00000000C301}632676C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002573Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:05.380{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000002600Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:05.014{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52761-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002599Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:05.014{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52761-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002598Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:05.011{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52760-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002597Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:05.011{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52760-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002596Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:05.008{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52759-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002595Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:05.008{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52759-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002594Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:05.005{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52758-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002593Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:05.005{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52758-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002592Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:03.998{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52757-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002591Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:03.998{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52757-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 10341000x80000000000000002590Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:06.398{928AB1BB-E35D-60C1-0B00-00000000C301}632676C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002589Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:06.398{928AB1BB-E35D-60C1-0B00-00000000C301}632676C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002588Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:06.398{928AB1BB-E35D-60C1-0B00-00000000C301}632676C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002587Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:06.398{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000002612Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:06.031{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52765-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002611Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:06.031{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52765-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002610Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:06.027{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52764-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002609Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:06.027{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52764-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002608Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:06.024{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52763-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002607Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:06.024{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52763-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002606Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:06.021{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52762-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002605Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:06.021{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52762-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 10341000x80000000000000002604Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:07.431{928AB1BB-E35D-60C1-0B00-00000000C301}632676C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002603Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:07.416{928AB1BB-E35D-60C1-0B00-00000000C301}632676C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002602Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:07.416{928AB1BB-E35D-60C1-0B00-00000000C301}632676C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002601Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:07.416{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002618Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:08.465{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002617Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:08.449{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002616Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:08.449{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002615Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:08.449{928AB1BB-E35D-60C1-0B00-00000000C301}632676C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000002614Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:07.036{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52766-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002613Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:07.036{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52766-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002636Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:08.079{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52773-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002635Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:08.078{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52773-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002634Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:08.076{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52772-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002633Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:08.076{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52772-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002632Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:08.073{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52771-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002631Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:08.073{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52771-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002630Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:08.068{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52770-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002629Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:08.068{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52770-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002628Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:07.047{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52769-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002627Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:07.047{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52769-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002626Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:07.043{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52768-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002625Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:07.043{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52768-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002624Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:07.040{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52767-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002623Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:07.040{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52767-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 10341000x80000000000000002622Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:09.483{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002621Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:09.483{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002620Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:09.483{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002619Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:09.483{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000002648Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:09.108{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52777-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002647Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:09.108{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52777-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002646Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:09.106{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52776-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002645Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:09.106{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52776-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 10341000x80000000000000002644Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:10.501{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002643Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:10.501{928AB1BB-E35D-60C1-0B00-00000000C301}632676C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002642Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:10.501{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002641Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:10.501{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000002640Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:09.102{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52775-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002639Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:09.102{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52775-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002638Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:09.099{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52774-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002637Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:09.099{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52774-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 13241300x80000000000000002661Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-SetValue2021-06-10 10:07:11.926{928AB1BB-E35F-60C1-1100-00000000C301}404C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d75de0-0x616c53b4) 354300x80000000000000002660Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:10.123{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52782-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002659Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:10.123{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52782-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002658Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:10.120{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52781-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002657Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:10.120{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52781-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002656Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:10.118{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52780-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002655Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:10.118{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52780-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002654Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:10.114{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52779-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002653Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:10.114{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52779-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 10341000x80000000000000002652Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:11.519{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002651Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:11.519{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002650Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:11.519{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002649Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:11.519{928AB1BB-E35D-60C1-0B00-00000000C301}632676C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002685Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:12.991{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002684Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:12.991{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002683Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:12.991{928AB1BB-E349-60C1-0500-00000000C301}412532C:\Windows\system32\csrss.exe{928AB1BB-E450-60C1-FB02-00000000C301}3728\\?\C:\Windows\system32\wbem\WMIADAP.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002682Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:12.991{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002681Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:12.991{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002680Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:12.991{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002679Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:12.991{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002678Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:12.991{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002677Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:12.991{928AB1BB-E35F-60C1-1600-00000000C301}12641924C:\Windows\system32\svchost.exe{928AB1BB-E450-60C1-FB02-00000000C301}3728\\?\C:\Windows\system32\wbem\WMIADAP.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\wbem\wmisvc.dll+2624|c:\windows\system32\wbem\wmisvc.dll+2491|C:\Windows\SYSTEM32\ntdll.dll+7de1d|C:\Windows\SYSTEM32\ntdll.dll+3a969|C:\Windows\SYSTEM32\ntdll.dll+1e86f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002676Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:12.991{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002675Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:12.991{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000002674Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:12.912{928AB1BB-E35F-60C1-1000-00000000C301}8NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=94592AF79E127F0AF9A2E3B12B1EEC17,SHA256=D54E5F90FB609387726033F243796D2C50CF13F8EC29CC6FCD9CA7582D298B59,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002673Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:11.139{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52786-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002672Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:11.139{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52786-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002671Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:11.137{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52785-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002670Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:11.137{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52785-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002669Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:11.134{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52784-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002668Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:11.134{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52784-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002667Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:11.131{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52783-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002666Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:11.131{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52783-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 10341000x80000000000000002665Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:12.537{928AB1BB-E35D-60C1-0B00-00000000C301}632676C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002664Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:12.537{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002663Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:12.537{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002662Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:12.537{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000002753Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:13.992{928AB1BB-E451-60C1-FF02-00000000C301}4356ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_yxqk1tdl.anc.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002752Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:13.992{928AB1BB-E451-60C1-FF02-00000000C301}4356ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_i1rpa04l.g5e.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002751Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:13.976{928AB1BB-E451-60C1-FF02-00000000C301}4356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_i1rpa04l.g5e.ps12021-06-10 10:07:13.976 10341000x80000000000000002750Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:13.976{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E451-60C1-FF02-00000000C301}4356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002749Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:13.961{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002748Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:13.961{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002747Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:13.961{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002746Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:13.945{928AB1BB-E451-60C1-FD02-00000000C301}35483304C:\Windows\system32\conhost.exe{928AB1BB-E451-60C1-FF02-00000000C301}4356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002745Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:13.945{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002744Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:13.945{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002743Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:13.945{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002742Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:13.945{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002741Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:13.945{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002740Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:13.945{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002739Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:13.945{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002738Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:13.945{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002737Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:13.945{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002736Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:13.945{928AB1BB-E349-60C1-0500-00000000C301}412500C:\Windows\system32\csrss.exe{928AB1BB-E451-60C1-FF02-00000000C301}4356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002735Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:13.945{928AB1BB-E451-60C1-FE02-00000000C301}36484524C:\Windows\system32\cmd.exe{928AB1BB-E451-60C1-FF02-00000000C301}4356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002734Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:13.949{928AB1BB-E451-60C1-FF02-00000000C301}4356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUAC:\Users\Administrator\ATTACKRANGE\Administrator{928AB1BB-E451-60C1-08D0-100000000000}0x10d0080HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{928AB1BB-E451-60C1-FE02-00000000C301}3648C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUA 10341000x80000000000000002733Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:13.945{928AB1BB-E451-60C1-FD02-00000000C301}35483304C:\Windows\system32\conhost.exe{928AB1BB-E451-60C1-FE02-00000000C301}3648C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002732Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:13.929{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002731Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:13.929{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002730Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:13.929{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002729Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:13.929{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002728Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:13.929{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002727Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:13.929{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002726Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:13.929{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002725Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:13.929{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002724Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:13.929{928AB1BB-E349-60C1-0500-00000000C301}412532C:\Windows\system32\csrss.exe{928AB1BB-E451-60C1-FE02-00000000C301}3648C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002723Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:13.929{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002722Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:13.929{928AB1BB-E451-60C1-FC02-00000000C301}3504656C:\Windows\system32\WinrsHost.exe{928AB1BB-E451-60C1-FE02-00000000C301}3648C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b 154100x80000000000000002721Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:13.943{928AB1BB-E451-60C1-FE02-00000000C301}3648C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUAC:\Users\Administrator\ATTACKRANGE\Administrator{928AB1BB-E451-60C1-08D0-100000000000}0x10d0080HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{928AB1BB-E451-60C1-FC02-00000000C301}3504C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x80000000000000002720Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:13.929{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002719Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:13.929{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002718Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:13.929{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002717Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:13.914{928AB1BB-E35F-60C1-1300-00000000C301}9641504C:\Windows\system32\svchost.exe{928AB1BB-E451-60C1-FC02-00000000C301}3504C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x80000000000000002716Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:13.898{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E451-60C1-FC02-00000000C301}3504C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002715Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:13.898{928AB1BB-E451-60C1-FD02-00000000C301}35483304C:\Windows\system32\conhost.exe{928AB1BB-E451-60C1-FC02-00000000C301}3504C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002714Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:13.882{928AB1BB-E349-60C1-0500-00000000C301}412532C:\Windows\system32\csrss.exe{928AB1BB-E451-60C1-FD02-00000000C301}3548C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002713Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:13.882{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002712Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:13.882{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002711Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:13.882{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002710Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:13.882{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002709Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:13.882{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002708Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:13.882{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002707Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:13.882{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002706Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:13.882{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002705Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:13.882{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002704Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:13.882{928AB1BB-E349-60C1-0500-00000000C301}412428C:\Windows\system32\csrss.exe{928AB1BB-E451-60C1-FC02-00000000C301}3504C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002703Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:13.882{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E451-60C1-FC02-00000000C301}3504C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002702Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:13.887{928AB1BB-E451-60C1-FC02-00000000C301}3504C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{928AB1BB-E451-60C1-08D0-100000000000}0x10d0080HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{928AB1BB-E35F-60C1-0C00-00000000C301}860C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x80000000000000002701Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:13.882{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002700Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:13.882{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002699Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:13.882{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000002698Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:12.154{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52790-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002697Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:12.154{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52790-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002696Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:12.152{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52789-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002695Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:12.151{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52789-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002694Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:12.149{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52788-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002693Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:12.149{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52788-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002692Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:12.145{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52787-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002691Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:12.145{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52787-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 10341000x80000000000000002690Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:13.554{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002689Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:13.554{928AB1BB-E35D-60C1-0B00-00000000C301}632676C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002688Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:13.554{928AB1BB-E35D-60C1-0B00-00000000C301}632676C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002687Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:13.554{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002686Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:13.006{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E450-60C1-FB02-00000000C301}3728\\?\C:\Windows\system32\wbem\WMIADAP.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000002773Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:13.428{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse46.128.24.7946.128.24.79.dynamic.cablesurf.de52718-false10.0.1.14win-dc-365.attackrange.local5986- 354300x80000000000000002772Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:13.170{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52794-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002771Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:13.170{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52794-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002770Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:13.167{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52793-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002769Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:13.167{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52793-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002768Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:13.164{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52792-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002767Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:13.164{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52792-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002766Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:13.161{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52791-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002765Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:13.161{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52791-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 10341000x80000000000000002764Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:14.571{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002763Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:14.571{928AB1BB-E35D-60C1-0B00-00000000C301}632676C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002762Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:14.571{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002761Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:14.571{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002760Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:14.289{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002759Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:14.289{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002758Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:14.289{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000002757Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:14.164{928AB1BB-E451-60C1-FF02-00000000C301}4356ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002756Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:14.023{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E451-60C1-FF02-00000000C301}4356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002755Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:14.023{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E451-60C1-FF02-00000000C301}4356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x80000000000000002754Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-CreatePipe2021-06-10 10:07:14.008{928AB1BB-E451-60C1-FF02-00000000C301}4356\PSHost.132677932339493381.4356.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000002786Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:15.916{928AB1BB-E450-60C1-FB02-00000000C301}3728NT AUTHORITY\SYSTEM\\?\C:\Windows\system32\wbem\WMIADAP.EXEC:\Windows\System32\wbem\Performance\WmiApRpl.hMD5=B133A676D139032A27DE3D9619E70091,SHA256=AE2B6236D3EEB4822835714AE9444E5DCD21BC60F7A909F2962C43BC743C7B15,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002785Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:14.185{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52798-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002784Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:14.185{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52798-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002783Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:14.183{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52797-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002782Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:14.182{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52797-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002781Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:14.180{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52796-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002780Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:14.180{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52796-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002779Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:14.177{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52795-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002778Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:14.177{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52795-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 10341000x80000000000000002777Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:15.587{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002776Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:15.587{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002775Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:15.587{928AB1BB-E35D-60C1-0B00-00000000C301}632676C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002774Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:15.587{928AB1BB-E35D-60C1-0B00-00000000C301}632676C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000002798Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:15.201{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52802-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002797Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:15.201{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52802-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002796Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:15.198{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52801-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002795Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:15.198{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52801-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002794Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:15.195{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52800-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002793Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:15.195{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52800-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002792Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:15.192{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52799-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002791Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:15.192{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52799-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 10341000x80000000000000002790Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:16.604{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002789Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:16.604{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002788Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:16.604{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002787Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:16.604{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000002808Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:16.214{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52805-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002807Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:16.214{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52805-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002806Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:16.211{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52804-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002805Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:16.211{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52804-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002804Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:16.208{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52803-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002803Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:16.208{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52803-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 10341000x80000000000000002802Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:17.621{928AB1BB-E35D-60C1-0B00-00000000C301}632676C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002801Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:17.621{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002800Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:17.621{928AB1BB-E35D-60C1-0B00-00000000C301}632676C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002799Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:17.621{928AB1BB-E35D-60C1-0B00-00000000C301}632676C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000002818Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:17.227{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52808-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002817Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:17.227{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52808-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002816Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:17.224{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52807-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002815Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:17.224{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52807-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 10341000x80000000000000002814Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:18.638{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002813Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:18.638{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002812Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:18.638{928AB1BB-E35D-60C1-0B00-00000000C301}632676C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002811Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:18.638{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000002810Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:16.217{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52806-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002809Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:16.216{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52806-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002832Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:18.245{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52813-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002831Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:18.245{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52813-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002830Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:18.242{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52812-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002829Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:18.242{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52812-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002828Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:18.239{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52811-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002827Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:18.239{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52811-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 10341000x80000000000000002826Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:19.655{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002825Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:19.655{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002824Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:19.655{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002823Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:19.655{928AB1BB-E35D-60C1-0B00-00000000C301}632676C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000002822Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:17.232{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52810-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002821Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:17.232{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52810-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002820Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:17.230{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52809-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002819Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:17.229{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52809-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002844Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:19.261{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52817-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002843Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:19.261{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52817-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002842Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:19.258{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52816-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002841Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:19.258{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52816-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002840Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:19.255{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52815-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002839Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:19.255{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52815-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 10341000x80000000000000002838Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:20.687{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002837Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:20.687{928AB1BB-E35D-60C1-0B00-00000000C301}632676C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002836Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:20.687{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002835Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:20.687{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000002834Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:18.247{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52814-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002833Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:18.247{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52814-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002858Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:20.295{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52822-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002857Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:20.295{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52822-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002856Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:20.292{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52821-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002855Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:20.292{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52821-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002854Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:20.289{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52820-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002853Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:20.289{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52820-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002852Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:20.286{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52819-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002851Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:20.286{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52819-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 10341000x80000000000000002850Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:21.704{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002849Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:21.704{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002848Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:21.704{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002847Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:21.704{928AB1BB-E35D-60C1-0B00-00000000C301}632676C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000002846Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:19.264{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52818-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002845Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:19.264{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52818-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002866Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:21.304{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52824-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002865Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:21.304{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52824-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002864Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:21.301{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52823-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002863Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:21.301{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52823-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 10341000x80000000000000002862Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:22.721{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002861Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:22.721{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002860Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:22.721{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002859Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:22.721{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002899Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:23.737{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002898Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:23.737{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002897Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:23.737{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 12241200x80000000000000002896Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.localSuspicious,ImageBeginWithBackslashDeleteValue2021-06-10 10:07:23.737{928AB1BB-E450-60C1-FB02-00000000C301}3728\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\Updating 13241300x80000000000000002895Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-06-10 10:07:23.737{928AB1BB-E450-60C1-FB02-00000000C301}3728\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\Object List25952 25958 25968 25978 25998 26042 26052 26090 26096 26112 13241300x80000000000000002894Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-06-10 10:07:23.737{928AB1BB-E450-60C1-FB02-00000000C301}3728\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\First HelpDWORD (0x00006561) 13241300x80000000000000002893Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-06-10 10:07:23.737{928AB1BB-E450-60C1-FB02-00000000C301}3728\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\First CounterDWORD (0x00006560) 13241300x80000000000000002892Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-06-10 10:07:23.737{928AB1BB-E450-60C1-FB02-00000000C301}3728\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\Last HelpDWORD (0x00006607) 13241300x80000000000000002891Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-06-10 10:07:23.737{928AB1BB-E450-60C1-FB02-00000000C301}3728\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\Last CounterDWORD (0x00006606) 13241300x80000000000000002890Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-06-10 10:07:23.737{928AB1BB-E450-60C1-FB02-00000000C301}3728\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\Last HelpDWORD (0x00006607) 13241300x80000000000000002889Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-06-10 10:07:23.737{928AB1BB-E450-60C1-FB02-00000000C301}3728\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\Last CounterDWORD (0x00006606) 10341000x80000000000000002888Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:23.737{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000002887Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:23.737{928AB1BB-E450-60C1-FB02-00000000C301}3728NT AUTHORITY\SYSTEM\\?\C:\Windows\system32\wbem\WMIADAP.EXEC:\Windows\System32\PerfStringBackup.TMPMD5=CE113E5C22BF5C94F0E20EDC21911A8F,SHA256=2C508A5B5CCA1729CB8848F04E75F5F0DF3244DC33FB99F0CEAAEA527A21F9A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002886Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:23.706{928AB1BB-E450-60C1-FB02-00000000C301}3728NT AUTHORITY\SYSTEM\\?\C:\Windows\system32\wbem\WMIADAP.EXEC:\Windows\System32\PerfStringBackup.INIMD5=FE193A892289F5307681F00B4CA3AD8E,SHA256=3DE849701FECDD6631F36EC47E3C7B883B1B83BDC4A97A8DA46A9CC58ACC3CE8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002885Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:21.310{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52826-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002884Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:21.310{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52826-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002883Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:21.307{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52825-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002882Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:21.307{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52825-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 13241300x80000000000000002881Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-06-10 10:07:23.628{928AB1BB-E450-60C1-FB02-00000000C301}3728\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\UpdatingWmiApRpl 13241300x80000000000000002880Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-06-10 10:07:23.628{928AB1BB-E450-60C1-FB02-00000000C301}3728\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\PerfIniFileWmiApRpl.ini 23542300x80000000000000002879Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:23.628{928AB1BB-E450-60C1-FB02-00000000C301}3728NT AUTHORITY\SYSTEM\\?\C:\Windows\system32\wbem\WMIADAP.EXEC:\Windows\INF\WmiApRpl\WmiApRpl.iniMD5=FFDEEA82BA4A5A65585103DD2A922DFE,SHA256=C20B11DFF802AA472265F4E9F330244EC4ACA81B0009F6EFCB2CF8A36086F390,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002878Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:23.628{928AB1BB-E450-60C1-FB02-00000000C301}3728NT AUTHORITY\SYSTEM\\?\C:\Windows\system32\wbem\WMIADAP.EXEC:\Windows\INF\WmiApRpl\WmiApRpl.hMD5=B133A676D139032A27DE3D9619E70091,SHA256=AE2B6236D3EEB4822835714AE9444E5DCD21BC60F7A909F2962C43BC743C7B15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002877Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:23.628{928AB1BB-E450-60C1-FB02-00000000C301}3728NT AUTHORITY\SYSTEM\\?\C:\Windows\system32\wbem\WMIADAP.EXEC:\Windows\INF\WmiApRpl\0009\WmiApRpl.iniMD5=FFDEEA82BA4A5A65585103DD2A922DFE,SHA256=C20B11DFF802AA472265F4E9F330244EC4ACA81B0009F6EFCB2CF8A36086F390,IMPHASH=00000000000000000000000000000000falsetrue 12241200x80000000000000002876Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.localSuspicious,ImageBeginWithBackslashDeleteValue2021-06-10 10:07:23.628{928AB1BB-E450-60C1-FB02-00000000C301}3728\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\Updating 12241200x80000000000000002875Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.localSuspicious,ImageBeginWithBackslashDeleteValue2021-06-10 10:07:23.628{928AB1BB-E450-60C1-FB02-00000000C301}3728\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\Object List 12241200x80000000000000002874Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.localSuspicious,ImageBeginWithBackslashDeleteValue2021-06-10 10:07:23.628{928AB1BB-E450-60C1-FB02-00000000C301}3728\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\Last Help 12241200x80000000000000002873Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.localSuspicious,ImageBeginWithBackslashDeleteValue2021-06-10 10:07:23.628{928AB1BB-E450-60C1-FB02-00000000C301}3728\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\First Help 12241200x80000000000000002872Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.localSuspicious,ImageBeginWithBackslashDeleteValue2021-06-10 10:07:23.628{928AB1BB-E450-60C1-FB02-00000000C301}3728\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\Last Counter 12241200x80000000000000002871Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.localSuspicious,ImageBeginWithBackslashDeleteValue2021-06-10 10:07:23.628{928AB1BB-E450-60C1-FB02-00000000C301}3728\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\First Counter 13241300x80000000000000002870Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-06-10 10:07:23.628{928AB1BB-E450-60C1-FB02-00000000C301}3728\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\Last HelpDWORD (0x0000655f) 13241300x80000000000000002869Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-06-10 10:07:23.628{928AB1BB-E450-60C1-FB02-00000000C301}3728\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\Last CounterDWORD (0x0000655e) 13241300x80000000000000002868Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-06-10 10:07:23.612{928AB1BB-E450-60C1-FB02-00000000C301}3728\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\UpdatingWmiApRpl 23542300x80000000000000002867Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:23.612{928AB1BB-E450-60C1-FB02-00000000C301}3728NT AUTHORITY\SYSTEM\\?\C:\Windows\system32\wbem\WMIADAP.EXEC:\Windows\System32\wbem\Performance\WmiApRpl.iniMD5=FFDEEA82BA4A5A65585103DD2A922DFE,SHA256=C20B11DFF802AA472265F4E9F330244EC4ACA81B0009F6EFCB2CF8A36086F390,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002917Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:23.338{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52833-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002916Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:23.338{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52833-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002915Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:23.336{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52832-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002914Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:23.336{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52832-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002913Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:23.333{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52831-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002912Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:23.333{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52831-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 10341000x80000000000000002911Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:24.754{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002910Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:24.754{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002909Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:24.754{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002908Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:24.754{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000002907Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:22.327{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52830-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002906Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:22.327{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52830-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002905Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:22.324{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52829-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002904Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:22.324{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52829-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002903Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:22.320{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52828-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002902Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:22.320{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52828-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002901Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:22.317{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52827-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002900Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:22.317{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52827-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 10341000x80000000000000002929Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:25.771{928AB1BB-E35D-60C1-0B00-00000000C301}632676C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002928Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:25.771{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002927Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:25.771{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002926Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:25.771{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000002925Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:24.354{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52837-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002924Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:24.354{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52837-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002923Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:24.351{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52836-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002922Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:24.351{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52836-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002921Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:24.348{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52835-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002920Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:24.348{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52835-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002919Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:23.341{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52834-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002918Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:23.341{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52834-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 10341000x80000000000000002971Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:26.991{928AB1BB-E45E-60C1-0103-00000000C301}47123916C:\Windows\system32\conhost.exe{928AB1BB-E45E-60C1-0003-00000000C301}4960C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002970Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:26.991{928AB1BB-E349-60C1-0500-00000000C301}412532C:\Windows\system32\csrss.exe{928AB1BB-E45E-60C1-0103-00000000C301}4712C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002969Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:26.975{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002968Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:26.975{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002967Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:26.975{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002966Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:26.975{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002965Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:26.975{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002964Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:26.975{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002963Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:26.975{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002962Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:26.975{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002961Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:26.975{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002960Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:26.975{928AB1BB-E349-60C1-0500-00000000C301}412428C:\Windows\system32\csrss.exe{928AB1BB-E45E-60C1-0003-00000000C301}4960C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002959Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:26.975{928AB1BB-E35F-60C1-0C00-00000000C301}860108C:\Windows\system32\svchost.exe{928AB1BB-E45E-60C1-0003-00000000C301}4960C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002958Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:26.986{928AB1BB-E45E-60C1-0003-00000000C301}4960C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{928AB1BB-E45E-60C1-FF09-110000000000}0x1109ff0HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{928AB1BB-E35F-60C1-0C00-00000000C301}860C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x80000000000000002957Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:26.975{928AB1BB-E35D-60C1-0B00-00000000C301}632676C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002956Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:26.975{928AB1BB-E35D-60C1-0B00-00000000C301}632676C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002955Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:26.975{928AB1BB-E35D-60C1-0B00-00000000C301}632676C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000002954Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:25.370{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52841-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002953Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:25.370{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52841-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002952Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:25.367{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52840-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002951Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:25.367{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52840-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002950Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:25.364{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52839-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002949Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:25.364{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52839-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002948Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:24.356{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52838-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000002947Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:24.356{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52838-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 10341000x80000000000000002946Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:26.788{928AB1BB-E35D-60C1-0B00-00000000C301}632676C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002945Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:26.788{928AB1BB-E35D-60C1-0B00-00000000C301}632676C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002944Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:26.788{928AB1BB-E35D-60C1-0B00-00000000C301}632676C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002943Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:26.788{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 13241300x80000000000000002942Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-06-10 10:07:26.631{928AB1BB-E450-60C1-FB02-00000000C301}3728\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\PROVIDERS\Performance\Performance RefreshedDWORD (0x00000001) 13241300x80000000000000002941Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-06-10 10:07:26.631{928AB1BB-E450-60C1-FB02-00000000C301}3728\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\PROVIDERS\Performance\Performance RefreshDWORD (0x00000000) 13241300x80000000000000002940Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-06-10 10:07:26.631{928AB1BB-E450-60C1-FB02-00000000C301}3728\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE\C:\Windows\System32\drivers\ena.sys[NdisMofResource]LowDateTime:-575650048,HighDateTime:30874337***Binary mof compiled successfully 13241300x80000000000000002939Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-06-10 10:07:26.631{928AB1BB-E450-60C1-FB02-00000000C301}3728\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE\C:\Windows\System32\drivers\en-US\intelppm.sys.mui[PROCESSORWMI]LowDateTime:-592701735,HighDateTime:30543079***Binary mof compiled successfully 13241300x80000000000000002938Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-06-10 10:07:26.631{928AB1BB-E450-60C1-FB02-00000000C301}3728\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE\C:\Windows\System32\drivers\intelppm.sys[PROCESSORWMI]LowDateTime:-2024749675,HighDateTime:30736945***Binary mof compiled successfully 13241300x80000000000000002937Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-06-10 10:07:26.631{928AB1BB-E450-60C1-FB02-00000000C301}3728\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE\C:\Windows\System32\drivers\en-US\mssmbios.sys.mui[MofResource]LowDateTime:-592857982,HighDateTime:30543079***Binary mof compiled successfully 13241300x80000000000000002936Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-06-10 10:07:26.631{928AB1BB-E450-60C1-FB02-00000000C301}3728\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE\C:\Windows\System32\drivers\mssmbios.sys[MofResource]LowDateTime:2077700573,HighDateTime:30531428***Binary mof compiled successfully 13241300x80000000000000002935Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-06-10 10:07:26.631{928AB1BB-E450-60C1-FB02-00000000C301}3728\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE\C:\Windows\System32\drivers\en-US\ACPI.sys.mui[ACPIMOFResource]LowDateTime:-592701735,HighDateTime:30543079***Binary mof compiled successfully 13241300x80000000000000002934Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-06-10 10:07:26.631{928AB1BB-E450-60C1-FB02-00000000C301}3728\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE\C:\Windows\System32\drivers\ACPI.sys[ACPIMOFResource]LowDateTime:-1594147734,HighDateTime:30671341***Binary mof compiled successfully 13241300x80000000000000002933Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-06-10 10:07:26.631{928AB1BB-E450-60C1-FB02-00000000C301}3728\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE\C:\Windows\system32\en-US\kernelbase.dll.mui[MofResourceName]LowDateTime:-1711938829,HighDateTime:30871737***Binary mof compiled successfully 13241300x80000000000000002932Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-06-10 10:07:26.631{928AB1BB-E450-60C1-FB02-00000000C301}3728\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE\C:\Windows\system32\kernelbase.dll[MofResourceName]LowDateTime:1488817152,HighDateTime:30878798***Binary mof compiled successfully 12241200x80000000000000002931Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.localSuspicious,ImageBeginWithBackslashDeleteKey2021-06-10 10:07:26.631{928AB1BB-E450-60C1-FB02-00000000C301}3728\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE 13241300x80000000000000002930Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-06-10 10:07:26.631{928AB1BB-E450-60C1-FB02-00000000C301}3728\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\PROVIDERS\Performance\Performance DataBinary Data 354300x80000000000000003024Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:26.379{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52843-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000003023Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:26.379{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52843-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000003022Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:25.373{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52842-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000003021Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:25.372{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52842-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 10341000x80000000000000003020Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:27.804{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000003019Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:27.804{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000003018Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:27.804{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000003017Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:27.804{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000003016Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:27.319{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003015Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:27.319{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003014Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:27.319{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000003013Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:27.241{928AB1BB-E45F-60C1-0303-00000000C301}5116ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000003012Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:27.116{928AB1BB-E35D-60C1-0B00-00000000C301}632676C:\Windows\system32\lsass.exe{928AB1BB-E45F-60C1-0303-00000000C301}5116C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003011Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:27.116{928AB1BB-E35D-60C1-0B00-00000000C301}632676C:\Windows\system32\lsass.exe{928AB1BB-E45F-60C1-0303-00000000C301}5116C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x80000000000000003010Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-CreatePipe2021-06-10 10:07:27.100{928AB1BB-E45F-60C1-0303-00000000C301}5116\PSHost.132677932470475976.5116.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000003009Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:27.085{928AB1BB-E45F-60C1-0303-00000000C301}5116ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_m1jtyy0t.bgq.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000003008Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:27.085{928AB1BB-E45F-60C1-0303-00000000C301}5116ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_ojwdywed.2gi.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000003007Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:27.085{928AB1BB-E45F-60C1-0303-00000000C301}5116C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_ojwdywed.2gi.ps12021-06-10 10:07:27.085 10341000x80000000000000003006Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:27.069{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E45F-60C1-0303-00000000C301}5116C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003005Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:27.053{928AB1BB-E35D-60C1-0B00-00000000C301}632676C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003004Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:27.053{928AB1BB-E35D-60C1-0B00-00000000C301}632676C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003003Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:27.053{928AB1BB-E35D-60C1-0B00-00000000C301}632676C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003002Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:27.038{928AB1BB-E45E-60C1-0103-00000000C301}47123916C:\Windows\system32\conhost.exe{928AB1BB-E45F-60C1-0303-00000000C301}5116C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003001Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:27.038{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003000Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:27.038{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002999Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:27.038{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002998Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:27.038{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002997Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:27.038{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002996Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:27.038{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002995Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:27.038{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002994Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:27.038{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002993Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:27.038{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002992Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:27.038{928AB1BB-E349-60C1-0500-00000000C301}412532C:\Windows\system32\csrss.exe{928AB1BB-E45F-60C1-0303-00000000C301}5116C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002991Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:27.038{928AB1BB-E45F-60C1-0203-00000000C301}4568528C:\Windows\system32\cmd.exe{928AB1BB-E45F-60C1-0303-00000000C301}5116C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002990Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:27.047{928AB1BB-E45F-60C1-0303-00000000C301}5116C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUAC:\Users\Administrator\ATTACKRANGE\Administrator{928AB1BB-E45E-60C1-FF09-110000000000}0x1109ff0HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{928AB1BB-E45F-60C1-0203-00000000C301}4568C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUA 10341000x80000000000000002989Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:27.038{928AB1BB-E45E-60C1-0103-00000000C301}47123916C:\Windows\system32\conhost.exe{928AB1BB-E45F-60C1-0203-00000000C301}4568C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002988Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:27.038{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002987Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:27.038{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002986Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:27.038{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002985Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:27.038{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002984Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:27.038{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002983Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:27.038{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002982Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:27.038{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002981Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:27.038{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002980Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:27.038{928AB1BB-E349-60C1-0500-00000000C301}412532C:\Windows\system32\csrss.exe{928AB1BB-E45F-60C1-0203-00000000C301}4568C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002979Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:27.038{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E3E5-60C1-A602-00000000C301}1012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002978Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:27.038{928AB1BB-E45E-60C1-0003-00000000C301}49603576C:\Windows\system32\WinrsHost.exe{928AB1BB-E45F-60C1-0203-00000000C301}4568C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b 154100x80000000000000002977Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:27.042{928AB1BB-E45F-60C1-0203-00000000C301}4568C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUAC:\Users\Administrator\ATTACKRANGE\Administrator{928AB1BB-E45E-60C1-FF09-110000000000}0x1109ff0HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{928AB1BB-E45E-60C1-0003-00000000C301}4960C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x80000000000000002976Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:27.038{928AB1BB-E35D-60C1-0B00-00000000C301}632676C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002975Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:27.038{928AB1BB-E35D-60C1-0B00-00000000C301}632676C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002974Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:27.038{928AB1BB-E35D-60C1-0B00-00000000C301}632676C:\Windows\system32\lsass.exe{928AB1BB-E35F-60C1-1300-00000000C301}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002973Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:27.007{928AB1BB-E35F-60C1-1300-00000000C301}9641504C:\Windows\system32\svchost.exe{928AB1BB-E45E-60C1-0003-00000000C301}4960C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x80000000000000002972Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:27.007{928AB1BB-E35F-60C1-0C00-00000000C301}860904C:\Windows\system32\svchost.exe{928AB1BB-E45E-60C1-0003-00000000C301}4960C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000003043Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:27.405{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52850-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000003042Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:27.405{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52850-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000003041Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:27.402{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52849-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000003040Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:27.402{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52849-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000003039Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:27.399{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52848-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000003038Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:27.399{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52848-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000003037Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:27.395{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52847-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000003036Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:27.395{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52847-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000003035Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:26.503{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse46.128.24.7946.128.24.79.dynamic.cablesurf.de52720-false10.0.1.14win-dc-365.attackrange.local5986- 354300x80000000000000003034Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:26.387{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52846-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000003033Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:26.387{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52846-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000003032Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:26.385{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52845-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000003031Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:26.385{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52845-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000003030Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:26.382{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52844-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000003029Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:26.382{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52844-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 10341000x80000000000000003028Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:28.821{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000003027Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:28.821{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000003026Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:28.821{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000003025Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:28.821{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000003053Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:28.417{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52853-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000003052Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:28.417{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52853-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000003051Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:28.414{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52852-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000003050Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:28.414{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52852-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000003049Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:28.411{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52851-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000003048Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:28.411{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52851-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 10341000x80000000000000003047Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:29.838{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000003046Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:29.838{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000003045Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:29.838{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000003044Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:29.838{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000003057Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:30.854{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000003056Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:30.854{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000003055Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:30.854{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000003054Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:30.854{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000003069Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:31.879{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000003068Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:31.876{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000003067Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:31.873{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000003066Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:31.870{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000003065Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:29.432{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-365.attackrange.local52857-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000003064Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:29.432{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-365.attackrange.local52857-false10.0.1.14win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000003063Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:29.429{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52856-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000003062Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:29.429{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52856-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000003061Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:29.426{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52855-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000003060Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:29.426{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52855-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000003059Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:28.420{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52854-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000003058Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:28.420{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52854-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 10341000x80000000000000003079Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:32.885{928AB1BB-E35D-60C1-0B00-00000000C301}632844C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000003078Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:32.885{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000003077Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:32.885{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000003076Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:32.885{928AB1BB-E35D-60C1-0B00-00000000C301}632692C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000003075Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:30.445{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52860-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000003074Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:30.445{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52860-true2001:0:2851:782c:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000003073Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:30.442{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52859-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000003072Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:30.442{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local52859-truefe80:0:0:0:103f:51d:2a6e:90cewin-dc-365.attackrange.local445microsoft-ds 354300x80000000000000003071Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:29.435{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52858-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 354300x80000000000000003070Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:29.435{928AB1BB-E348-60C1-0100-00000000C301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local52858-truefe80:0:0:0:1039:10bb:f5ff:fef1win-dc-365.attackrange.local445microsoft-ds 10341000x80000000000000003089Microsoft-Windows-Sysmon/Operationalwin-dc-365.attackrange.local-2021-06-10 10:07:33.905{928AB1BB-E35D-60C1-0B00-00000000C301}632840C:\Windows\system32\lsass.exe{928AB1BB-E348-60C1-0100-00000000C301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000