154100x800000000000000022767Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:16.603{7E7FFDA1-39E4-5FCE-0000-0010B9AB2E00}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022768Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:16.602{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-39E4-5FCE-0000-0010B9AB2E00}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022769Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:16.602{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-39E4-5FCE-0000-0010B9AB2E00}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022770Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:16.602{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022771Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:16.602{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022772Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:16.602{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022773Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:16.602{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022774Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:16.602{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-39E4-5FCE-0000-0010B9AB2E00}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022758Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:15.259{7E7FFDA1-39E3-5FCE-0000-001090A92E00}820C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022759Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:15.259{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-39E3-5FCE-0000-001090A92E00}820C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022760Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:15.259{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-39E3-5FCE-0000-001090A92E00}820C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022761Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:15.259{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022762Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:15.259{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022763Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:15.259{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022764Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:15.259{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022765Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:15.259{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-39E3-5FCE-0000-001090A92E00}820C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022766Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:15.415{7E7FFDA1-39E3-5FCE-0000-001090A92E00}8202964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022741Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:14.056{7E7FFDA1-39E2-5FCE-0000-001032A62E00}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022742Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:14.056{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-39E2-5FCE-0000-001032A62E00}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022743Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:14.056{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-39E2-5FCE-0000-001032A62E00}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022744Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:14.056{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022745Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:14.056{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022746Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:14.056{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022747Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:14.056{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022748Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:14.056{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-39E2-5FCE-0000-001032A62E00}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022749Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:14.588{7E7FFDA1-39E2-5FCE-0000-0010E4A72E00}1396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022750Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:14.587{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-39E2-5FCE-0000-0010E4A72E00}1396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022751Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:14.587{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-39E2-5FCE-0000-0010E4A72E00}1396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022752Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:14.587{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022753Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:14.587{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022754Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:14.587{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022755Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:14.587{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022756Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:14.587{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-39E2-5FCE-0000-0010E4A72E00}1396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022757Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:14.727{7E7FFDA1-39E2-5FCE-0000-0010E4A72E00}13965176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022732Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:13.384{7E7FFDA1-39E1-5FCE-0000-00107CA42E00}5300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022733Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:13.384{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-39E1-5FCE-0000-00107CA42E00}5300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022734Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:13.384{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-39E1-5FCE-0000-00107CA42E00}5300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022735Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:13.384{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022736Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:13.384{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022737Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:13.384{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022738Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:13.384{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022739Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:13.384{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-39E1-5FCE-0000-00107CA42E00}5300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022740Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:13.524{7E7FFDA1-39E1-5FCE-0000-00107CA42E00}53004936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022723Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:12.509{7E7FFDA1-39E0-5FCE-0000-0010B4A22E00}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022724Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:12.509{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-39E0-5FCE-0000-0010B4A22E00}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022725Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:12.509{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-39E0-5FCE-0000-0010B4A22E00}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022726Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:12.509{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022727Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:12.509{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022728Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:12.509{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022729Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:12.509{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022730Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:12.509{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-39E0-5FCE-0000-0010B4A22E00}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022731Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:12.649{7E7FFDA1-39E0-5FCE-0000-0010B4A22E00}45245036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022715Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:11.572{7E7FFDA1-39DF-5FCE-0000-0010FDA02E00}4972C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022716Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:11.571{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-39DF-5FCE-0000-0010FDA02E00}4972C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022717Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:11.571{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-39DF-5FCE-0000-0010FDA02E00}4972C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022718Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:11.571{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022719Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:11.571{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022720Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:11.571{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022721Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:11.571{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022722Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:19:11.571{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-39DF-5FCE-0000-0010FDA02E00}4972C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000022712Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 14:18:20.618{7E7FFDA1-18C1-5FCE-0000-001019C00200}3100C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\A47110B2-D436-47F8-BEA1-61CCEBF6C04E\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_A47110B2-D436-47F8-BEA1-61CCEBF6C04E.XML 13241300x800000000000000022713Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 14:18:20.618{7E7FFDA1-18C1-5FCE-0000-001019C00200}3100C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\A47110B2-D436-47F8-BEA1-61CCEBF6C04E\Config SourceDWORD (0x00000001) 13241300x800000000000000022714Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 14:18:20.634{7E7FFDA1-18C1-5FCE-0000-001019C00200}3100C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\9D191D6C-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_9D191D6C-0000-0000-0000-100000000000.XML 154100x800000000000000022704Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:16.588{7E7FFDA1-39A8-5FCE-0000-0010F8922E00}5812C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022705Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:16.587{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-39A8-5FCE-0000-0010F8922E00}5812C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022706Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:16.587{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-39A8-5FCE-0000-0010F8922E00}5812C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022707Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:16.587{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022708Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:16.587{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022709Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:16.587{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022710Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:16.587{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022711Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:16.587{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-39A8-5FCE-0000-0010F8922E00}5812C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022695Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:15.228{7E7FFDA1-39A7-5FCE-0000-00102F912E00}2840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022696Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:15.228{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-39A7-5FCE-0000-00102F912E00}2840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022697Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:15.228{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-39A7-5FCE-0000-00102F912E00}2840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022698Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:15.228{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022699Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:15.228{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022700Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:15.228{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022701Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:15.228{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022702Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:15.228{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-39A7-5FCE-0000-00102F912E00}2840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022703Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:15.368{7E7FFDA1-39A7-5FCE-0000-00102F912E00}28406576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022677Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:14.056{7E7FFDA1-39A6-5FCE-0000-0010738D2E00}4468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022678Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:14.056{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-39A6-5FCE-0000-0010738D2E00}4468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022679Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:14.056{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-39A6-5FCE-0000-0010738D2E00}4468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022680Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:14.056{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022681Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:14.056{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022682Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:14.056{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022683Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:14.056{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022684Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:14.056{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-39A6-5FCE-0000-0010738D2E00}4468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022685Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:14.196{7E7FFDA1-39A6-5FCE-0000-0010738D2E00}44687152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022686Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:14.556{7E7FFDA1-39A6-5FCE-0000-0010FC8E2E00}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022687Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:14.556{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-39A6-5FCE-0000-0010FC8E2E00}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022688Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:14.556{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-39A6-5FCE-0000-0010FC8E2E00}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022689Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:14.556{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022690Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:14.556{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022691Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:14.556{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022692Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:14.556{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022693Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:14.556{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-39A6-5FCE-0000-0010FC8E2E00}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022694Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:14.696{7E7FFDA1-39A6-5FCE-0000-0010FC8E2E00}53684948C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022669Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:13.385{7E7FFDA1-39A5-5FCE-0000-0010A48B2E00}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022670Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:13.384{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-39A5-5FCE-0000-0010A48B2E00}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022671Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:13.384{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-39A5-5FCE-0000-0010A48B2E00}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022672Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:13.384{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022673Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:13.384{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022674Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:13.384{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022675Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:13.384{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022676Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:13.384{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-39A5-5FCE-0000-0010A48B2E00}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022660Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:12.510{7E7FFDA1-39A4-5FCE-0000-0010D8892E00}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022661Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:12.509{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-39A4-5FCE-0000-0010D8892E00}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022662Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:12.509{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-39A4-5FCE-0000-0010D8892E00}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022663Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:12.509{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022664Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:12.509{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022665Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:12.509{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022666Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:12.509{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022667Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:12.509{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-39A4-5FCE-0000-0010D8892E00}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022668Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:12.649{7E7FFDA1-39A4-5FCE-0000-0010D8892E00}20844464C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022652Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:11.572{7E7FFDA1-39A3-5FCE-0000-00102D882E00}2064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022653Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:11.571{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-39A3-5FCE-0000-00102D882E00}2064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022654Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:11.571{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-39A3-5FCE-0000-00102D882E00}2064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022655Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:11.571{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022656Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:11.571{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022657Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:11.571{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022658Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:11.571{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022659Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:18:11.571{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-39A3-5FCE-0000-00102D882E00}2064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022623Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:44.040{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022624Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:44.040{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022625Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:44.040{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022626Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:44.040{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022627Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:44.040{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022628Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:44.040{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022629Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:44.040{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022630Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:44.040{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022631Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:44.040{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022632Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:44.040{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022633Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:44.040{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022634Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:44.040{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022635Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:44.040{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022636Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:44.040{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022637Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:44.040{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022638Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:44.040{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022639Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:44.040{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022640Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:44.040{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022641Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:44.040{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022642Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:44.040{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022643Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:44.040{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022644Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:44.040{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022645Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:44.040{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022646Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:44.040{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022647Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:44.040{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022648Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:44.040{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022649Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:44.040{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022650Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:44.040{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022651Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:44.040{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022621Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:37.134{7E7FFDA1-18B1-5FCE-0000-001002BA0000}11526896C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-001019C00200}3100C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022622Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:37.134{7E7FFDA1-18B1-5FCE-0000-001002BA0000}11526896C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-001019C00200}3100C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022620Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:35.556{7E7FFDA1-18AF-5FCE-0000-001027540000}856896C:\Windows\system32\lsass.exe{7E7FFDA1-18AE-5FCE-0000-0010EB030000}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31819|C:\Windows\system32\lsasrv.dll+2f177|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 154100x800000000000000022612Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:16.572{7E7FFDA1-396C-5FCE-0000-0010517A2E00}1052C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022613Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:16.571{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-396C-5FCE-0000-0010517A2E00}1052C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022614Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:16.571{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-396C-5FCE-0000-0010517A2E00}1052C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022615Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:16.571{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022616Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:16.571{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022617Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:16.571{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022618Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:16.571{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022619Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:16.571{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-396C-5FCE-0000-0010517A2E00}1052C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022603Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:15.120{7E7FFDA1-396B-5FCE-0000-00101C782E00}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022604Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:15.118{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-396B-5FCE-0000-00101C782E00}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022605Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:15.118{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-396B-5FCE-0000-00101C782E00}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022606Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:15.118{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022607Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:15.118{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022608Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:15.118{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022609Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:15.118{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022610Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:15.118{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-396B-5FCE-0000-00101C782E00}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022611Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:15.259{7E7FFDA1-396B-5FCE-0000-00101C782E00}44965844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022594Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:14.557{7E7FFDA1-396A-5FCE-0000-00105C762E00}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022595Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:14.556{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-396A-5FCE-0000-00105C762E00}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022596Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:14.556{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-396A-5FCE-0000-00105C762E00}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022597Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:14.556{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022598Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:14.556{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022599Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:14.556{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022600Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:14.556{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022601Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:14.556{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-396A-5FCE-0000-00105C762E00}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022602Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:14.696{7E7FFDA1-396A-5FCE-0000-00105C762E00}44526832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022577Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:13.385{7E7FFDA1-3969-5FCE-0000-0010FC722E00}6752C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022578Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:13.384{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3969-5FCE-0000-0010FC722E00}6752C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022579Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:13.384{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-3969-5FCE-0000-0010FC722E00}6752C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022580Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:13.384{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022581Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:13.384{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022582Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:13.384{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022583Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:13.384{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022584Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:13.384{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3969-5FCE-0000-0010FC722E00}6752C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022585Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:13.525{7E7FFDA1-3969-5FCE-0000-0010FC722E00}67522144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022586Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:13.885{7E7FFDA1-3969-5FCE-0000-0010BD742E00}4860C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022587Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:13.884{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3969-5FCE-0000-0010BD742E00}4860C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022588Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:13.884{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-3969-5FCE-0000-0010BD742E00}4860C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022589Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:13.884{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022590Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:13.884{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022591Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:13.884{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022592Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:13.884{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022593Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:13.884{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3969-5FCE-0000-0010BD742E00}4860C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022568Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:12.510{7E7FFDA1-3968-5FCE-0000-001036712E00}6940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022569Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:12.509{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3968-5FCE-0000-001036712E00}6940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022570Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:12.509{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-3968-5FCE-0000-001036712E00}6940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022571Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:12.509{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022572Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:12.509{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022573Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:12.509{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022574Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:12.509{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022575Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:12.509{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3968-5FCE-0000-001036712E00}6940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022576Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:12.650{7E7FFDA1-3968-5FCE-0000-001036712E00}69403300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022560Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:11.557{7E7FFDA1-3967-5FCE-0000-00108B6F2E00}6872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022561Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:11.556{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3967-5FCE-0000-00108B6F2E00}6872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022562Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:11.556{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-3967-5FCE-0000-00108B6F2E00}6872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022563Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:11.556{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022564Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:11.556{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022565Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:11.556{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022566Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:11.556{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022567Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:17:11.556{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3967-5FCE-0000-00108B6F2E00}6872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022552Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:16.556{7E7FFDA1-3930-5FCE-0000-001003632E00}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022553Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:16.556{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3930-5FCE-0000-001003632E00}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022554Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:16.556{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-3930-5FCE-0000-001003632E00}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022555Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:16.556{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022556Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:16.556{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022557Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:16.556{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022558Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:16.556{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022559Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:16.556{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3930-5FCE-0000-001003632E00}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022543Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:15.198{7E7FFDA1-392F-5FCE-0000-00101D612E00}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022544Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:15.196{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-392F-5FCE-0000-00101D612E00}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022545Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:15.196{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-392F-5FCE-0000-00101D612E00}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022546Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:15.196{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022547Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:15.196{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022548Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:15.196{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022549Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:15.196{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022550Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:15.196{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-392F-5FCE-0000-00101D612E00}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022551Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:15.337{7E7FFDA1-392F-5FCE-0000-00101D612E00}27403712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022525Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:14.056{7E7FFDA1-392E-5FCE-0000-0010685D2E00}6548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022526Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:14.056{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-392E-5FCE-0000-0010685D2E00}6548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022527Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:14.056{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-392E-5FCE-0000-0010685D2E00}6548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022528Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:14.056{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022529Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:14.056{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022530Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:14.056{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022531Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:14.056{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022532Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:14.056{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-392E-5FCE-0000-0010685D2E00}6548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022533Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:14.196{7E7FFDA1-392E-5FCE-0000-0010685D2E00}65484148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022534Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:14.603{7E7FFDA1-392E-5FCE-0000-0010105F2E00}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022535Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:14.602{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-392E-5FCE-0000-0010105F2E00}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022536Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:14.602{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-392E-5FCE-0000-0010105F2E00}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022537Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:14.602{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022538Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:14.602{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022539Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:14.602{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022540Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:14.602{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022541Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:14.602{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-392E-5FCE-0000-0010105F2E00}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022542Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:14.743{7E7FFDA1-392E-5FCE-0000-0010105F2E00}49446280C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022517Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:13.384{7E7FFDA1-392D-5FCE-0000-00109A5B2E00}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022518Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:13.384{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-392D-5FCE-0000-00109A5B2E00}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022519Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:13.384{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-392D-5FCE-0000-00109A5B2E00}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022520Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:13.384{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022521Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:13.384{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022522Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:13.384{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022523Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:13.384{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022524Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:13.384{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-392D-5FCE-0000-00109A5B2E00}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022508Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:12.509{7E7FFDA1-392C-5FCE-0000-0010EE592E00}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022509Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:12.509{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-392C-5FCE-0000-0010EE592E00}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022510Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:12.509{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-392C-5FCE-0000-0010EE592E00}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022511Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:12.509{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022512Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:12.509{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022513Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:12.509{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022514Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:12.509{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022515Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:12.509{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-392C-5FCE-0000-0010EE592E00}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022516Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:12.649{7E7FFDA1-392C-5FCE-0000-0010EE592E00}50204916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022500Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:11.556{7E7FFDA1-392B-5FCE-0000-00103A582E00}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022501Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:11.556{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-392B-5FCE-0000-00103A582E00}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022502Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:11.556{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-392B-5FCE-0000-00103A582E00}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022503Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:11.556{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022504Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:11.556{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022505Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:11.556{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022506Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:11.556{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022507Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:16:11.556{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-392B-5FCE-0000-00103A582E00}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000022490Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 14:15:58.430{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d6ccab-0xdd71065a) 13241300x800000000000000022491Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 14:15:58.430{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d6cca3-0x7bac9e5a) 13241300x800000000000000022492Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 14:15:58.430{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d6cc9b-0x19e8365a) 13241300x800000000000000022493Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 14:15:58.430{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x007ec7ee) 13241300x800000000000000022494Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 14:15:58.430{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000022495Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 14:15:58.430{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d6ccab-0xdd71065a) 13241300x800000000000000022496Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 14:15:58.430{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d6cca3-0x7bac9e5a) 13241300x800000000000000022497Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 14:15:58.430{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d6cc9b-0x19e8365a) 13241300x800000000000000022498Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 14:15:58.430{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x007ec7ee) 13241300x800000000000000022499Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 14:15:58.430{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 10341000x800000000000000022461Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:43.024{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022462Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:43.024{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022463Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:43.024{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022464Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:43.024{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022465Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:43.024{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022466Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:43.024{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022467Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:43.024{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022468Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:43.024{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022469Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:43.024{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022470Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:43.024{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022471Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:43.024{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022472Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:43.024{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022473Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:43.024{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022474Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:43.024{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022475Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:43.024{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022476Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:43.024{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022477Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:43.024{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022478Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:43.024{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022479Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:43.024{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022480Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:43.024{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022481Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:43.024{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022482Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:43.024{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022483Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:43.024{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022484Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:43.024{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022485Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:43.024{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022486Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:43.024{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022487Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:43.024{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022488Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:43.024{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022489Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:43.024{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022460Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:40.243{7E7FFDA1-18AF-5FCE-0000-001027540000}856896C:\Windows\system32\lsass.exe{7E7FFDA1-18AE-5FCE-0000-0010EB030000}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31819|C:\Windows\system32\lsasrv.dll+2f177|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000022457Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:37.462{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18B1-5FCE-0000-0010CBF20000}1588C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022458Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:37.462{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18B1-5FCE-0000-0010CBF20000}1588C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022459Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:37.462{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5887040C:\Windows\system32\svchost.exe{7E7FFDA1-18B1-5FCE-0000-0010CBF20000}1588C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022449Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:16.556{7E7FFDA1-38F4-5FCE-0000-0010F7452E00}6088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022450Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:16.555{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-38F4-5FCE-0000-0010F7452E00}6088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022451Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:16.555{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-38F4-5FCE-0000-0010F7452E00}6088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022452Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:16.555{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022453Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:16.555{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022454Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:16.555{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022455Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:16.555{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022456Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:16.555{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-38F4-5FCE-0000-0010F7452E00}6088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022440Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:15.275{7E7FFDA1-38F3-5FCE-0000-001033442E00}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022441Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:15.274{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-38F3-5FCE-0000-001033442E00}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022442Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:15.274{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-38F3-5FCE-0000-001033442E00}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022443Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:15.274{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022444Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:15.274{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022445Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:15.274{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022446Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:15.274{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022447Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:15.274{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-38F3-5FCE-0000-001033442E00}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022448Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:15.415{7E7FFDA1-38F3-5FCE-0000-001033442E00}9842784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022423Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:14.056{7E7FFDA1-38F2-5FCE-0000-00106B402E00}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022424Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:14.055{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-38F2-5FCE-0000-00106B402E00}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022425Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:14.055{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-38F2-5FCE-0000-00106B402E00}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022426Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:14.055{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022427Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:14.055{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022428Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:14.055{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022429Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:14.055{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022430Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:14.055{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-38F2-5FCE-0000-00106B402E00}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022431Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:14.603{7E7FFDA1-38F2-5FCE-0000-001008422E00}6160C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022432Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:14.602{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-38F2-5FCE-0000-001008422E00}6160C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022433Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:14.602{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-38F2-5FCE-0000-001008422E00}6160C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022434Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:14.602{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022435Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:14.602{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022436Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:14.602{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022437Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:14.602{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022438Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:14.602{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-38F2-5FCE-0000-001008422E00}6160C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022439Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:14.743{7E7FFDA1-38F2-5FCE-0000-001008422E00}61606796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022414Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:13.384{7E7FFDA1-38F1-5FCE-0000-0010A73E2E00}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022415Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:13.383{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-38F1-5FCE-0000-0010A73E2E00}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022416Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:13.383{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-38F1-5FCE-0000-0010A73E2E00}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022417Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022418Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022419Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022420Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022421Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:13.383{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-38F1-5FCE-0000-0010A73E2E00}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022422Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:13.524{7E7FFDA1-38F1-5FCE-0000-0010A73E2E00}60003632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022405Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:12.509{7E7FFDA1-38F0-5FCE-0000-0010DB3C2E00}6624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022406Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:12.508{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-38F0-5FCE-0000-0010DB3C2E00}6624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022407Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:12.508{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-38F0-5FCE-0000-0010DB3C2E00}6624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022408Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:12.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022409Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:12.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022410Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:12.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022411Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:12.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022412Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:12.508{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-38F0-5FCE-0000-0010DB3C2E00}6624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022413Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:12.649{7E7FFDA1-38F0-5FCE-0000-0010DB3C2E00}66243972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022397Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:11.540{7E7FFDA1-38EF-5FCE-0000-00102E3B2E00}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022398Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:11.540{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-38EF-5FCE-0000-00102E3B2E00}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022399Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:11.540{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-38EF-5FCE-0000-00102E3B2E00}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022400Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:11.540{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022401Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:11.540{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022402Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:11.540{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022403Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:11.540{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022404Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:15:11.540{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-38EF-5FCE-0000-00102E3B2E00}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022389Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:16.540{7E7FFDA1-38B8-5FCE-0000-00102B2F2E00}3560C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022390Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:16.539{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-38B8-5FCE-0000-00102B2F2E00}3560C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022391Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:16.539{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-38B8-5FCE-0000-00102B2F2E00}3560C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022392Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:16.539{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022393Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:16.539{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022394Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:16.539{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022395Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:16.539{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022396Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:16.539{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-38B8-5FCE-0000-00102B2F2E00}3560C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022380Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:15.337{7E7FFDA1-38B7-5FCE-0000-0010F62C2E00}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022381Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:15.336{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-38B7-5FCE-0000-0010F62C2E00}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022382Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:15.336{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-38B7-5FCE-0000-0010F62C2E00}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022383Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:15.336{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022384Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:15.336{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022385Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:15.336{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022386Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:15.336{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022387Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:15.336{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-38B7-5FCE-0000-0010F62C2E00}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022388Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:15.477{7E7FFDA1-38B7-5FCE-0000-0010F62C2E00}60484444C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022370Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:14.133{7E7FFDA1-38B5-5FCE-0000-0010AC292E00}65246572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022371Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:14.665{7E7FFDA1-38B6-5FCE-0000-00103A2B2E00}2656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022372Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:14.664{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-38B6-5FCE-0000-00103A2B2E00}2656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022373Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:14.664{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-38B6-5FCE-0000-00103A2B2E00}2656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022374Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:14.664{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022375Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:14.664{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022376Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:14.664{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022377Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:14.664{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022378Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:14.664{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-38B6-5FCE-0000-00103A2B2E00}2656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022379Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:14.805{7E7FFDA1-38B6-5FCE-0000-00103A2B2E00}26564428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022354Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:13.384{7E7FFDA1-38B5-5FCE-0000-0010DE272E00}5784C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022355Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:13.383{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-38B5-5FCE-0000-0010DE272E00}5784C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022356Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:13.383{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-38B5-5FCE-0000-0010DE272E00}5784C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022357Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022358Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022359Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022360Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022361Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:13.383{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-38B5-5FCE-0000-0010DE272E00}5784C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022362Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:13.994{7E7FFDA1-38B5-5FCE-0000-0010AC292E00}6524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022363Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:13.992{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-38B5-5FCE-0000-0010AC292E00}6524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022364Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:13.992{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-38B5-5FCE-0000-0010AC292E00}6524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022365Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:13.992{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022366Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:13.992{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022367Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:13.992{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022368Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:13.992{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022369Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:13.992{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-38B5-5FCE-0000-0010AC292E00}6524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022345Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:12.509{7E7FFDA1-38B4-5FCE-0000-001016262E00}4552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022346Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:12.508{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-38B4-5FCE-0000-001016262E00}4552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022347Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:12.508{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-38B4-5FCE-0000-001016262E00}4552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022348Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:12.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022349Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:12.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022350Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:12.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022351Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:12.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022352Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:12.508{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-38B4-5FCE-0000-001016262E00}4552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022353Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:12.649{7E7FFDA1-38B4-5FCE-0000-001016262E00}4552600C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022337Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:11.525{7E7FFDA1-38B3-5FCE-0000-00106C242E00}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022338Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:11.524{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-38B3-5FCE-0000-00106C242E00}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022339Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:11.524{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-38B3-5FCE-0000-00106C242E00}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022340Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:11.524{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022341Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:11.524{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022342Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:11.524{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022343Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:11.524{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022344Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:14:11.524{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-38B3-5FCE-0000-00106C242E00}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022308Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:42.008{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022309Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:42.008{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022310Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:42.008{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022311Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:42.008{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022312Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:42.008{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022313Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:42.008{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022314Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:42.008{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022315Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:42.008{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022316Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:42.008{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022317Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:42.008{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022318Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:42.008{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022319Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:42.008{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022320Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:42.008{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022321Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:42.008{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022322Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:42.008{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022323Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:42.008{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022324Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:42.008{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022325Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:42.008{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022326Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:42.008{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022327Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:42.008{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022328Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:42.008{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022329Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:42.008{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022330Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:42.008{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022331Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:42.008{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022332Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:42.008{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022333Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:42.008{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022334Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:42.008{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022335Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:42.008{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022336Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:42.008{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000022305Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 14:13:20.273{7E7FFDA1-18C1-5FCE-0000-001019C00200}3100C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\A47110B2-D436-47F8-BEA1-61CCEBF6C04E\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_A47110B2-D436-47F8-BEA1-61CCEBF6C04E.XML 13241300x800000000000000022306Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 14:13:20.273{7E7FFDA1-18C1-5FCE-0000-001019C00200}3100C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\A47110B2-D436-47F8-BEA1-61CCEBF6C04E\Config SourceDWORD (0x00000001) 13241300x800000000000000022307Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 14:13:20.273{7E7FFDA1-18C1-5FCE-0000-001019C00200}3100C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\9D191D6C-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_9D191D6C-0000-0000-0000-100000000000.XML 154100x800000000000000022297Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:16.524{7E7FFDA1-387C-5FCE-0000-0010BF012E00}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022298Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:16.523{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-387C-5FCE-0000-0010BF012E00}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022299Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:16.523{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-387C-5FCE-0000-0010BF012E00}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022300Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:16.523{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022301Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:16.523{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022302Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:16.523{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022303Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:16.523{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022304Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:16.523{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-387C-5FCE-0000-0010BF012E00}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022288Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:15.352{7E7FFDA1-387B-5FCE-0000-0010F6FF2D00}2236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022289Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:15.352{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-387B-5FCE-0000-0010F6FF2D00}2236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022290Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:15.352{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-387B-5FCE-0000-0010F6FF2D00}2236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022291Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:15.352{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022292Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:15.352{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022293Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:15.352{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022294Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:15.352{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022295Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:15.352{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-387B-5FCE-0000-0010F6FF2D00}2236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022296Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:15.492{7E7FFDA1-387B-5FCE-0000-0010F6FF2D00}22362488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022271Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:14.009{7E7FFDA1-387A-5FCE-0000-001030FC2D00}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022272Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:14.008{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-387A-5FCE-0000-001030FC2D00}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022273Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:14.008{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-387A-5FCE-0000-001030FC2D00}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022274Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:14.008{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022275Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:14.008{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022276Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:14.008{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022277Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:14.008{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022278Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:14.008{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-387A-5FCE-0000-001030FC2D00}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022279Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:14.680{7E7FFDA1-387A-5FCE-0000-0010E2FD2D00}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022280Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:14.680{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-387A-5FCE-0000-0010E2FD2D00}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022281Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:14.680{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-387A-5FCE-0000-0010E2FD2D00}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022282Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:14.680{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022283Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:14.680{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022284Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:14.680{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022285Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:14.680{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022286Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:14.680{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-387A-5FCE-0000-0010E2FD2D00}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022287Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:14.836{7E7FFDA1-387A-5FCE-0000-0010E2FD2D00}41286700C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022262Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:13.384{7E7FFDA1-3879-5FCE-0000-001084FA2D00}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022263Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:13.383{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3879-5FCE-0000-001084FA2D00}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022264Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:13.383{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-3879-5FCE-0000-001084FA2D00}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022265Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022266Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022267Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022268Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022269Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:13.383{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3879-5FCE-0000-001084FA2D00}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022270Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:13.523{7E7FFDA1-3879-5FCE-0000-001084FA2D00}55487036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022253Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:12.509{7E7FFDA1-3878-5FCE-0000-0010B2F82D00}5540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022254Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:12.508{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3878-5FCE-0000-0010B2F82D00}5540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022255Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:12.508{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-3878-5FCE-0000-0010B2F82D00}5540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022256Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:12.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022257Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:12.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022258Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:12.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022259Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:12.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022260Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:12.508{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3878-5FCE-0000-0010B2F82D00}5540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022261Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:12.648{7E7FFDA1-3878-5FCE-0000-0010B2F82D00}55405600C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022245Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:11.680{7E7FFDA1-3877-5FCE-0000-00101DF72D00}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022246Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:11.680{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3877-5FCE-0000-00101DF72D00}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022247Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:11.680{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-3877-5FCE-0000-00101DF72D00}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022248Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:11.680{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022249Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:11.680{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022250Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:11.680{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022251Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:11.680{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022252Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:13:11.680{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3877-5FCE-0000-00101DF72D00}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022237Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:16.508{7E7FFDA1-3840-5FCE-0000-00108EEA2D00}4276C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022238Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:16.508{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3840-5FCE-0000-00108EEA2D00}4276C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022239Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:16.508{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-3840-5FCE-0000-00108EEA2D00}4276C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022240Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:16.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022241Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:16.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022242Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:16.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022243Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:16.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022244Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:16.508{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3840-5FCE-0000-00108EEA2D00}4276C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022228Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:15.196{7E7FFDA1-383F-5FCE-0000-0010AFE82D00}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022229Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:15.195{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-383F-5FCE-0000-0010AFE82D00}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022230Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:15.195{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-383F-5FCE-0000-0010AFE82D00}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022231Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:15.195{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022232Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:15.195{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022233Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:15.195{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022234Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:15.195{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022235Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:15.195{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-383F-5FCE-0000-0010AFE82D00}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022236Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:15.336{7E7FFDA1-383F-5FCE-0000-0010AFE82D00}53122188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022219Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:14.525{7E7FFDA1-383E-5FCE-0000-0010B3E62D00}1392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022220Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:14.523{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-383E-5FCE-0000-0010B3E62D00}1392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022221Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:14.523{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-383E-5FCE-0000-0010B3E62D00}1392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022222Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:14.523{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022223Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:14.523{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022224Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:14.523{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022225Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:14.523{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022226Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:14.523{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-383E-5FCE-0000-0010B3E62D00}1392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022227Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:14.664{7E7FFDA1-383E-5FCE-0000-0010B3E62D00}13921448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022202Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:13.383{7E7FFDA1-383D-5FCE-0000-00104EE32D00}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022203Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:13.383{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-383D-5FCE-0000-00104EE32D00}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022204Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:13.383{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-383D-5FCE-0000-00104EE32D00}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022205Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022206Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022207Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022208Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022209Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:13.383{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-383D-5FCE-0000-00104EE32D00}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022210Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:13.523{7E7FFDA1-383D-5FCE-0000-00104EE32D00}61165228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022211Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:13.993{7E7FFDA1-383D-5FCE-0000-0010DCE42D00}1168C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022212Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:13.992{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-383D-5FCE-0000-0010DCE42D00}1168C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022213Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:13.992{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-383D-5FCE-0000-0010DCE42D00}1168C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022214Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:13.992{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022215Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:13.992{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022216Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:13.992{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022217Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:13.992{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022218Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:13.992{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-383D-5FCE-0000-0010DCE42D00}1168C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022193Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:12.508{7E7FFDA1-383C-5FCE-0000-001087E12D00}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022194Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:12.508{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-383C-5FCE-0000-001087E12D00}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022195Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:12.508{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-383C-5FCE-0000-001087E12D00}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022196Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:12.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022197Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:12.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022198Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:12.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022199Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:12.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022200Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:12.508{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-383C-5FCE-0000-001087E12D00}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022201Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:12.648{7E7FFDA1-383C-5FCE-0000-001087E12D00}70202964C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022185Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:11.665{7E7FFDA1-383B-5FCE-0000-0010D6DF2D00}5420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022186Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:11.664{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-383B-5FCE-0000-0010D6DF2D00}5420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022187Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:11.664{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-383B-5FCE-0000-0010D6DF2D00}5420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022188Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:11.664{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022189Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:11.664{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022190Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:11.664{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022191Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:11.664{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022192Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:12:11.664{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-383B-5FCE-0000-0010D6DF2D00}5420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000022184Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 14:11:45.570{7E7FFDA1-18B1-5FCE-0000-001008C50000}1204C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d6cca2-0xe52cf207) 10341000x800000000000000022183Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:40.992{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}6126920C:\Windows\system32\svchost.exe{7E7FFDA1-18B1-5FCE-0000-001002BA0000}1152C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022175Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:16.508{7E7FFDA1-3804-5FCE-0000-0010C3D32D00}3884C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022176Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:16.507{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3804-5FCE-0000-0010C3D32D00}3884C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022177Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:16.507{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-3804-5FCE-0000-0010C3D32D00}3884C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022178Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:16.507{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022179Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:16.507{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022180Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:16.507{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022181Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:16.507{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022182Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:16.507{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3804-5FCE-0000-0010C3D32D00}3884C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022166Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:15.321{7E7FFDA1-3803-5FCE-0000-0010FFD12D00}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022167Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:15.320{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3803-5FCE-0000-0010FFD12D00}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022168Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:15.320{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-3803-5FCE-0000-0010FFD12D00}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022169Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:15.320{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022170Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:15.320{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022171Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:15.320{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022172Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:15.320{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022173Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:15.320{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3803-5FCE-0000-0010FFD12D00}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022174Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:15.461{7E7FFDA1-3803-5FCE-0000-0010FFD12D00}68042692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022156Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:14.117{7E7FFDA1-3801-5FCE-0000-001044CE2D00}69766992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022157Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:14.649{7E7FFDA1-3802-5FCE-0000-0010E1CF2D00}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022158Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:14.648{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3802-5FCE-0000-0010E1CF2D00}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022159Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:14.648{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-3802-5FCE-0000-0010E1CF2D00}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022160Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:14.648{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022161Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:14.648{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022162Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:14.648{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022163Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:14.648{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022164Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:14.648{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3802-5FCE-0000-0010E1CF2D00}1608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022165Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:14.789{7E7FFDA1-3802-5FCE-0000-0010E1CF2D00}16086064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022140Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:13.383{7E7FFDA1-3801-5FCE-0000-001083CC2D00}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022141Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:13.382{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3801-5FCE-0000-001083CC2D00}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022142Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:13.382{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-3801-5FCE-0000-001083CC2D00}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022143Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:13.382{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022144Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:13.382{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022145Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:13.382{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022146Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:13.382{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022147Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:13.382{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3801-5FCE-0000-001083CC2D00}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022148Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:13.977{7E7FFDA1-3801-5FCE-0000-001044CE2D00}6976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022149Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:13.976{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3801-5FCE-0000-001044CE2D00}6976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022150Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:13.976{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-3801-5FCE-0000-001044CE2D00}6976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022151Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:13.976{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022152Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:13.976{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022153Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:13.976{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022154Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:13.976{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022155Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:13.976{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3801-5FCE-0000-001044CE2D00}6976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022131Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:12.508{7E7FFDA1-3800-5FCE-0000-0010BFCA2D00}5812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022132Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:12.507{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3800-5FCE-0000-0010BFCA2D00}5812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022133Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:12.507{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-3800-5FCE-0000-0010BFCA2D00}5812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022134Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:12.507{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022135Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:12.507{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022136Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:12.507{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022137Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:12.507{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022138Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:12.507{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3800-5FCE-0000-0010BFCA2D00}5812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022139Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:12.648{7E7FFDA1-3800-5FCE-0000-0010BFCA2D00}58127124C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022123Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:11.664{7E7FFDA1-37FF-5FCE-0000-00100AC92D00}6576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022124Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:11.664{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-37FF-5FCE-0000-00100AC92D00}6576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022125Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:11.664{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-37FF-5FCE-0000-00100AC92D00}6576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022126Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:11.664{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022127Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:11.664{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022128Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:11.664{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022129Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:11.664{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022130Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:11:11.664{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-37FF-5FCE-0000-00100AC92D00}6576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000022113Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 14:10:58.414{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d6ccab-0x2a9e5e6a) 13241300x800000000000000022114Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 14:10:58.414{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d6cca2-0xc8d9f66a) 13241300x800000000000000022115Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 14:10:58.414{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d6cc9a-0x67158e6a) 13241300x800000000000000022116Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 14:10:58.414{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x007a33ff) 13241300x800000000000000022117Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 14:10:58.414{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000022118Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 14:10:58.414{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d6ccab-0x2a9e5e6a) 13241300x800000000000000022119Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 14:10:58.414{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d6cca2-0xc8d9f66a) 13241300x800000000000000022120Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 14:10:58.414{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d6cc9a-0x67158e6a) 13241300x800000000000000022121Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 14:10:58.414{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x007a33ff) 13241300x800000000000000022122Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 14:10:58.414{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 10341000x800000000000000022112Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:40.117{7E7FFDA1-18AF-5FCE-0000-001027540000}856896C:\Windows\system32\lsass.exe{7E7FFDA1-18AE-5FCE-0000-0010EB030000}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31819|C:\Windows\system32\lsasrv.dll+2f177|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000022109Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:37.445{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18B1-5FCE-0000-0010CBF20000}1588C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022110Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:37.445{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18B1-5FCE-0000-0010CBF20000}1588C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022111Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:37.445{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18B1-5FCE-0000-0010CBF20000}1588C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022101Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:16.508{7E7FFDA1-37C8-5FCE-0000-001092B72D00}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022102Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:16.507{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-37C8-5FCE-0000-001092B72D00}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022103Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:16.507{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-37C8-5FCE-0000-001092B72D00}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022104Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:16.507{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022105Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:16.507{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022106Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:16.507{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022107Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:16.507{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022108Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:16.507{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-37C8-5FCE-0000-001092B72D00}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022092Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:15.305{7E7FFDA1-37C7-5FCE-0000-0010CDB52D00}6300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022093Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:15.304{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-37C7-5FCE-0000-0010CDB52D00}6300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022094Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:15.304{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-37C7-5FCE-0000-0010CDB52D00}6300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022095Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:15.304{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022096Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:15.304{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022097Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:15.304{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022098Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:15.304{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022099Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:15.304{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-37C7-5FCE-0000-0010CDB52D00}6300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022100Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:15.445{7E7FFDA1-37C7-5FCE-0000-0010CDB52D00}63004332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022082Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:14.101{7E7FFDA1-37C5-5FCE-0000-001011B22D00}67366672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022083Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:14.633{7E7FFDA1-37C6-5FCE-0000-0010A0B32D00}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022084Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:14.633{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-37C6-5FCE-0000-0010A0B32D00}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022085Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:14.633{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-37C6-5FCE-0000-0010A0B32D00}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022086Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:14.633{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022087Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:14.633{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022088Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:14.633{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022089Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:14.633{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022090Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:14.633{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-37C6-5FCE-0000-0010A0B32D00}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022091Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:14.789{7E7FFDA1-37C6-5FCE-0000-0010A0B32D00}56246684C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022066Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:13.383{7E7FFDA1-37C5-5FCE-0000-001049B02D00}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022067Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:13.382{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-37C5-5FCE-0000-001049B02D00}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022068Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:13.382{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-37C5-5FCE-0000-001049B02D00}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022069Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:13.382{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022070Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:13.382{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022071Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:13.382{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022072Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:13.382{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022073Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:13.382{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-37C5-5FCE-0000-001049B02D00}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022074Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:13.962{7E7FFDA1-37C5-5FCE-0000-001011B22D00}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022075Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:13.961{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-37C5-5FCE-0000-001011B22D00}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022076Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:13.961{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-37C5-5FCE-0000-001011B22D00}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022077Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:13.961{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022078Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:13.961{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022079Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:13.961{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022080Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:13.961{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022081Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:13.961{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-37C5-5FCE-0000-001011B22D00}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022057Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:12.508{7E7FFDA1-37C4-5FCE-0000-001077AE2D00}2264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022058Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:12.508{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-37C4-5FCE-0000-001077AE2D00}2264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022059Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:12.508{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-37C4-5FCE-0000-001077AE2D00}2264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022060Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:12.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022061Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:12.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022062Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:12.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022063Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:12.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022064Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:12.508{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-37C4-5FCE-0000-001077AE2D00}2264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022065Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:12.648{7E7FFDA1-37C4-5FCE-0000-001077AE2D00}22645364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022049Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:11.649{7E7FFDA1-37C3-5FCE-0000-0010C2AC2D00}5804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022050Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:11.648{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-37C3-5FCE-0000-0010C2AC2D00}5804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022051Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:11.648{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-37C3-5FCE-0000-0010C2AC2D00}5804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022052Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:11.648{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022053Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:11.648{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022054Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:11.648{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022055Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:11.648{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022056Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:10:11.648{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-37C3-5FCE-0000-0010C2AC2D00}5804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022020Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:45.789{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022021Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:45.789{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022022Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:45.789{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022023Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:45.789{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022024Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:45.789{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022025Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:45.789{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022026Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:45.789{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022027Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:45.789{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022028Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:45.789{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022029Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:45.789{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022030Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:45.789{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022031Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:45.789{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022032Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:45.789{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022033Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:45.789{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022034Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:45.789{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022035Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:45.789{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022036Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:45.789{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022037Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:45.789{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022038Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:45.789{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022039Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:45.789{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022040Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:45.789{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022041Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:45.789{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022042Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:45.789{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022043Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:45.789{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022044Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:45.789{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022045Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:45.789{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022046Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:45.789{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022047Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:45.789{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022048Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:45.789{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000022019Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 14:09:37.711{7E7FFDA1-18B1-5FCE-0000-001008C50000}1204C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d6cca2-0x98f730c9) 154100x800000000000000022011Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:16.508{7E7FFDA1-378C-5FCE-0000-0010FF9F2D00}5540C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022012Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:16.508{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-378C-5FCE-0000-0010FF9F2D00}5540C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022013Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:16.508{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-378C-5FCE-0000-0010FF9F2D00}5540C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022014Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:16.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022015Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:16.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022016Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:16.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022017Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:16.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022018Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:16.508{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-378C-5FCE-0000-0010FF9F2D00}5540C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022002Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:15.305{7E7FFDA1-378B-5FCE-0000-0010449E2D00}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022003Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:15.304{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-378B-5FCE-0000-0010449E2D00}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022004Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:15.304{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-378B-5FCE-0000-0010449E2D00}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022005Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:15.304{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022006Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:15.304{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022007Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:15.304{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022008Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:15.304{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022009Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:15.304{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-378B-5FCE-0000-0010449E2D00}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022010Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:15.445{7E7FFDA1-378B-5FCE-0000-0010449E2D00}52806068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021993Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:14.633{7E7FFDA1-378A-5FCE-0000-0010229C2D00}2400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021994Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:14.633{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-378A-5FCE-0000-0010229C2D00}2400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021995Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:14.633{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-378A-5FCE-0000-0010229C2D00}2400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021996Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:14.633{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021997Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:14.633{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021998Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:14.633{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021999Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:14.633{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022000Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:14.633{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-378A-5FCE-0000-0010229C2D00}2400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022001Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:14.773{7E7FFDA1-378A-5FCE-0000-0010229C2D00}24006256C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021976Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:13.383{7E7FFDA1-3789-5FCE-0000-0010C2982D00}4256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021977Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:13.383{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3789-5FCE-0000-0010C2982D00}4256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021978Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:13.383{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-3789-5FCE-0000-0010C2982D00}4256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021979Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021980Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021981Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021982Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021983Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:13.383{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3789-5FCE-0000-0010C2982D00}4256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021984Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:13.523{7E7FFDA1-3789-5FCE-0000-0010C2982D00}42565160C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021985Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:13.962{7E7FFDA1-3789-5FCE-0000-00106B9A2D00}2496C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021986Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:13.961{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3789-5FCE-0000-00106B9A2D00}2496C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021987Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:13.961{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-3789-5FCE-0000-00106B9A2D00}2496C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021988Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:13.961{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021989Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:13.961{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021990Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:13.961{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021991Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:13.961{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021992Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:13.961{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3789-5FCE-0000-00106B9A2D00}2496C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021967Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:12.508{7E7FFDA1-3788-5FCE-0000-0010F7962D00}2012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021968Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:12.508{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3788-5FCE-0000-0010F7962D00}2012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021969Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:12.508{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-3788-5FCE-0000-0010F7962D00}2012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021970Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:12.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021971Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:12.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021972Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:12.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021973Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:12.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021974Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:12.508{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3788-5FCE-0000-0010F7962D00}2012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021975Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:12.648{7E7FFDA1-3788-5FCE-0000-0010F7962D00}20125224C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021959Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:11.633{7E7FFDA1-3787-5FCE-0000-00106C952D00}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021960Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:11.633{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3787-5FCE-0000-00106C952D00}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021961Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:11.633{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-3787-5FCE-0000-00106C952D00}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021962Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:11.633{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021963Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:11.633{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021964Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:11.633{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021965Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:11.633{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021966Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:09:11.633{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3787-5FCE-0000-00106C952D00}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000021956Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 14:08:19.726{7E7FFDA1-18C1-5FCE-0000-001019C00200}3100C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\A47110B2-D436-47F8-BEA1-61CCEBF6C04E\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_A47110B2-D436-47F8-BEA1-61CCEBF6C04E.XML 13241300x800000000000000021957Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 14:08:19.726{7E7FFDA1-18C1-5FCE-0000-001019C00200}3100C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\A47110B2-D436-47F8-BEA1-61CCEBF6C04E\Config SourceDWORD (0x00000001) 13241300x800000000000000021958Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 14:08:19.726{7E7FFDA1-18C1-5FCE-0000-001019C00200}3100C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\9D191D6C-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_9D191D6C-0000-0000-0000-100000000000.XML 154100x800000000000000021948Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:16.493{7E7FFDA1-3750-5FCE-0000-001053872D00}1096C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021949Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:16.492{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3750-5FCE-0000-001053872D00}1096C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021950Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:16.492{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-3750-5FCE-0000-001053872D00}1096C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021951Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:16.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021952Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:16.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021953Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:16.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021954Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:16.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021955Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:16.492{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3750-5FCE-0000-001053872D00}1096C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021939Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:15.290{7E7FFDA1-374F-5FCE-0000-00108E852D00}4124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021940Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:15.289{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-374F-5FCE-0000-00108E852D00}4124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021941Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:15.289{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-374F-5FCE-0000-00108E852D00}4124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021942Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:15.289{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021943Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:15.289{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021944Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:15.289{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021945Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:15.289{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021946Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:15.289{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-374F-5FCE-0000-00108E852D00}4124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021947Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:15.430{7E7FFDA1-374F-5FCE-0000-00108E852D00}41246608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021930Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:14.618{7E7FFDA1-374E-5FCE-0000-001082832D00}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021931Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:14.617{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-374E-5FCE-0000-001082832D00}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021932Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:14.617{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-374E-5FCE-0000-001082832D00}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021933Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:14.617{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021934Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:14.617{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021935Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:14.617{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021936Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:14.617{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021937Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:14.617{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-374E-5FCE-0000-001082832D00}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021938Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:14.773{7E7FFDA1-374E-5FCE-0000-001082832D00}18564988C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021913Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:13.383{7E7FFDA1-374D-5FCE-0000-001017802D00}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021914Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:13.383{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-374D-5FCE-0000-001017802D00}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021915Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:13.383{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-374D-5FCE-0000-001017802D00}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021916Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021917Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021918Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021919Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021920Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:13.383{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-374D-5FCE-0000-001017802D00}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021921Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:13.523{7E7FFDA1-374D-5FCE-0000-001017802D00}5292632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021922Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:13.946{7E7FFDA1-374D-5FCE-0000-0010C0812D00}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021923Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:13.945{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-374D-5FCE-0000-0010C0812D00}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021924Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:13.945{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-374D-5FCE-0000-0010C0812D00}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021925Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:13.945{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021926Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:13.945{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021927Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:13.945{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021928Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:13.945{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021929Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:13.945{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-374D-5FCE-0000-0010C0812D00}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021904Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:12.493{7E7FFDA1-374C-5FCE-0000-00104B7E2D00}5744C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021905Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:12.492{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-374C-5FCE-0000-00104B7E2D00}5744C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021906Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:12.492{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-374C-5FCE-0000-00104B7E2D00}5744C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021907Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:12.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021908Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:12.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021909Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:12.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021910Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:12.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021911Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:12.492{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-374C-5FCE-0000-00104B7E2D00}5744C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021912Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:12.633{7E7FFDA1-374C-5FCE-0000-00104B7E2D00}57442584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021896Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:11.618{7E7FFDA1-374B-5FCE-0000-0010A27C2D00}6988C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021897Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:11.617{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-374B-5FCE-0000-0010A27C2D00}6988C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021898Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:11.617{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-374B-5FCE-0000-0010A27C2D00}6988C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021899Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:11.617{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021900Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:11.617{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021901Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:11.617{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021902Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:11.617{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021903Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:08:11.617{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-374B-5FCE-0000-0010A27C2D00}6988C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021867Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:44.773{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021868Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:44.773{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021869Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:44.773{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021870Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:44.773{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021871Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:44.773{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021872Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:44.773{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021873Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:44.773{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021874Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:44.773{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021875Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:44.773{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021876Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:44.773{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021877Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:44.773{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021878Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:44.773{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021879Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:44.773{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021880Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:44.773{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021881Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:44.773{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021882Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:44.773{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021883Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:44.773{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021884Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:44.773{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021885Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:44.773{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021886Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:44.773{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021887Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:44.773{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021888Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:44.773{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021889Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:44.773{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021890Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:44.773{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021891Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:44.773{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021892Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:44.773{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021893Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:44.773{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021894Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:44.773{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021895Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:44.773{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021865Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:37.117{7E7FFDA1-18B1-5FCE-0000-001002BA0000}11521864C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-001019C00200}3100C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021866Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:37.117{7E7FFDA1-18B1-5FCE-0000-001002BA0000}11521864C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-001019C00200}3100C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021864Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:35.539{7E7FFDA1-18AF-5FCE-0000-001027540000}856904C:\Windows\system32\lsass.exe{7E7FFDA1-18AE-5FCE-0000-0010EB030000}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31819|C:\Windows\system32\lsasrv.dll+2f177|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 154100x800000000000000021856Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:16.477{7E7FFDA1-3714-5FCE-0000-0010706E2D00}3412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021857Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:16.477{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3714-5FCE-0000-0010706E2D00}3412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021858Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:16.477{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-3714-5FCE-0000-0010706E2D00}3412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021859Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:16.477{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021860Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:16.477{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021861Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:16.477{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021862Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:16.477{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021863Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:16.477{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3714-5FCE-0000-0010706E2D00}3412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021847Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:15.274{7E7FFDA1-3713-5FCE-0000-0010B16C2D00}4468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021848Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:15.273{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3713-5FCE-0000-0010B16C2D00}4468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021849Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:15.273{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-3713-5FCE-0000-0010B16C2D00}4468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021850Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:15.273{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021851Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:15.273{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021852Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:15.273{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021853Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:15.273{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021854Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:15.273{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3713-5FCE-0000-0010B16C2D00}4468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021855Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:15.414{7E7FFDA1-3713-5FCE-0000-0010B16C2D00}44685068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021837Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:14.070{7E7FFDA1-3711-5FCE-0000-0010F0682D00}44646076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021838Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:14.602{7E7FFDA1-3712-5FCE-0000-0010A06A2D00}2768C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021839Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:14.602{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3712-5FCE-0000-0010A06A2D00}2768C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021840Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:14.602{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-3712-5FCE-0000-0010A06A2D00}2768C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021841Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:14.602{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021842Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:14.602{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021843Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:14.602{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021844Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:14.602{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021845Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:14.602{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3712-5FCE-0000-0010A06A2D00}2768C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021846Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:14.742{7E7FFDA1-3712-5FCE-0000-0010A06A2D00}27682852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021821Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:13.384{7E7FFDA1-3711-5FCE-0000-001024672D00}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021822Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:13.383{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3711-5FCE-0000-001024672D00}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021823Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:13.383{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-3711-5FCE-0000-001024672D00}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021824Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021825Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021826Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021827Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021828Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:13.383{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3711-5FCE-0000-001024672D00}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021829Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:13.931{7E7FFDA1-3711-5FCE-0000-0010F0682D00}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021830Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:13.930{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3711-5FCE-0000-0010F0682D00}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021831Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:13.930{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-3711-5FCE-0000-0010F0682D00}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021832Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:13.930{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021833Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:13.930{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021834Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:13.930{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021835Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:13.930{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021836Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:13.930{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3711-5FCE-0000-0010F0682D00}4464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021812Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:12.493{7E7FFDA1-3710-5FCE-0000-001078652D00}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021813Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:12.492{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3710-5FCE-0000-001078652D00}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021814Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:12.492{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-3710-5FCE-0000-001078652D00}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021815Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:12.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021816Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:12.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021817Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:12.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021818Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:12.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021819Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:12.492{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3710-5FCE-0000-001078652D00}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021820Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:12.633{7E7FFDA1-3710-5FCE-0000-001078652D00}54766044C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021804Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:11.602{7E7FFDA1-370F-5FCE-0000-0010CF632D00}2968C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021805Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:11.602{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-370F-5FCE-0000-0010CF632D00}2968C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021806Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:11.602{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-370F-5FCE-0000-0010CF632D00}2968C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021807Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:11.602{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021808Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:11.602{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021809Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:11.602{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021810Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:11.602{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021811Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:07:11.602{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-370F-5FCE-0000-0010CF632D00}2968C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021796Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:16.477{7E7FFDA1-36D8-5FCE-0000-0010D2572D00}2280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021797Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:16.477{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-36D8-5FCE-0000-0010D2572D00}2280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021798Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:16.477{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-36D8-5FCE-0000-0010D2572D00}2280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021799Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:16.477{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021800Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:16.477{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021801Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:16.477{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021802Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:16.477{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021803Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:16.477{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-36D8-5FCE-0000-0010D2572D00}2280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021787Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:15.088{7E7FFDA1-36D7-5FCE-0000-0010F5552D00}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021788Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:15.086{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-36D7-5FCE-0000-0010F5552D00}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021789Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:15.086{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-36D7-5FCE-0000-0010F5552D00}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021790Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:15.086{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021791Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:15.086{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021792Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:15.086{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021793Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:15.086{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021794Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:15.086{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-36D7-5FCE-0000-0010F5552D00}6836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021795Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:15.227{7E7FFDA1-36D7-5FCE-0000-0010F5552D00}68365484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021777Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:14.102{7E7FFDA1-36D5-5FCE-0000-001031522D00}25284492C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021778Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:14.587{7E7FFDA1-36D6-5FCE-0000-0010E6532D00}6092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021779Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:14.586{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-36D6-5FCE-0000-0010E6532D00}6092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021780Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:14.586{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-36D6-5FCE-0000-0010E6532D00}6092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021781Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:14.586{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021782Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:14.586{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021783Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:14.586{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021784Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:14.586{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021785Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:14.586{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-36D6-5FCE-0000-0010E6532D00}6092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021786Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:14.727{7E7FFDA1-36D6-5FCE-0000-0010E6532D00}60925756C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021761Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:13.384{7E7FFDA1-36D5-5FCE-0000-00107F502D00}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021762Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:13.383{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-36D5-5FCE-0000-00107F502D00}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021763Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:13.383{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-36D5-5FCE-0000-00107F502D00}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021764Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021765Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021766Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021767Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021768Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:13.383{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-36D5-5FCE-0000-00107F502D00}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021769Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:13.962{7E7FFDA1-36D5-5FCE-0000-001031522D00}2528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021770Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:13.961{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-36D5-5FCE-0000-001031522D00}2528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021771Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:13.961{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-36D5-5FCE-0000-001031522D00}2528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021772Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:13.961{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021773Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:13.961{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021774Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:13.961{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021775Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:13.961{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021776Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:13.961{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-36D5-5FCE-0000-001031522D00}2528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021752Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:12.509{7E7FFDA1-36D4-5FCE-0000-0010B24E2D00}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021753Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:12.508{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-36D4-5FCE-0000-0010B24E2D00}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021754Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:12.508{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-36D4-5FCE-0000-0010B24E2D00}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021755Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:12.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021756Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:12.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021757Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:12.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021758Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:12.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021759Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:12.508{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-36D4-5FCE-0000-0010B24E2D00}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021760Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:12.649{7E7FFDA1-36D4-5FCE-0000-0010B24E2D00}15725464C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021744Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:11.587{7E7FFDA1-36D3-5FCE-0000-0010044D2D00}5680C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021745Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:11.586{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-36D3-5FCE-0000-0010044D2D00}5680C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021746Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:11.586{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-36D3-5FCE-0000-0010044D2D00}5680C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021747Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:11.586{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021748Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:11.586{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021749Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:11.586{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021750Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:11.586{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021751Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:06:11.586{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-36D3-5FCE-0000-0010044D2D00}5680C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000021734Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 14:05:58.399{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d6ccaa-0x77cb8f6a) 13241300x800000000000000021735Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 14:05:58.399{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d6cca2-0x1607276a) 13241300x800000000000000021736Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 14:05:58.399{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d6cc99-0xb442bf6a) 13241300x800000000000000021737Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 14:05:58.399{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0075a00f) 13241300x800000000000000021738Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 14:05:58.399{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000021739Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 14:05:58.399{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d6ccaa-0x77cb8f6a) 13241300x800000000000000021740Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 14:05:58.399{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d6cca2-0x1607276a) 13241300x800000000000000021741Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 14:05:58.399{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d6cc99-0xb442bf6a) 13241300x800000000000000021742Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 14:05:58.399{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0075a00f) 13241300x800000000000000021743Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 14:05:58.399{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 10341000x800000000000000021705Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:42.742{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021706Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:42.742{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021707Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:42.742{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021708Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:42.742{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021709Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:42.742{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021710Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:42.742{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021711Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:42.742{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021712Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:42.742{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021713Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:42.742{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021714Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:42.742{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021715Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:42.742{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021716Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:42.742{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021717Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:42.742{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021718Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:42.742{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021719Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:42.742{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021720Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:42.742{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021721Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:42.742{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021722Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:42.742{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021723Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:42.742{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021724Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:42.742{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021725Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:42.742{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021726Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:42.742{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021727Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:42.742{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021728Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:42.742{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021729Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:42.742{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021730Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:42.742{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021731Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:42.742{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021732Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:42.742{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021733Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:42.742{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021704Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:39.977{7E7FFDA1-18AF-5FCE-0000-001027540000}856904C:\Windows\system32\lsass.exe{7E7FFDA1-18AE-5FCE-0000-0010EB030000}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31819|C:\Windows\system32\lsasrv.dll+2f177|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000021701Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:37.430{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18B1-5FCE-0000-0010CBF20000}1588C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021702Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:37.430{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18B1-5FCE-0000-0010CBF20000}1588C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021703Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:37.430{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18B1-5FCE-0000-0010CBF20000}1588C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021700Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:20.961{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}6125808C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010B6BF0200}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021692Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:16.477{7E7FFDA1-369C-5FCE-0000-00102F3B2D00}6544C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021693Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:16.477{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-369C-5FCE-0000-00102F3B2D00}6544C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021694Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:16.477{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-369C-5FCE-0000-00102F3B2D00}6544C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021695Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:16.477{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021696Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:16.477{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021697Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:16.477{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021698Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:16.477{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021699Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:16.477{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-369C-5FCE-0000-00102F3B2D00}6544C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021683Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:15.228{7E7FFDA1-369B-5FCE-0000-0010FC382D00}6080C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021684Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:15.227{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-369B-5FCE-0000-0010FC382D00}6080C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021685Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:15.227{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-369B-5FCE-0000-0010FC382D00}6080C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021686Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:15.227{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021687Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:15.227{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021688Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:15.227{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021689Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:15.227{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021690Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:15.227{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-369B-5FCE-0000-0010FC382D00}6080C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021691Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:15.367{7E7FFDA1-369B-5FCE-0000-0010FC382D00}60804856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021665Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:14.056{7E7FFDA1-369A-5FCE-0000-0010A3352D00}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021666Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:14.055{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-369A-5FCE-0000-0010A3352D00}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021667Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:14.055{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-369A-5FCE-0000-0010A3352D00}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021668Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:14.055{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021669Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:14.055{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021670Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:14.055{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021671Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:14.055{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021672Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:14.055{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-369A-5FCE-0000-0010A3352D00}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021673Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:14.195{7E7FFDA1-369A-5FCE-0000-0010A3352D00}66922028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021674Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:14.727{7E7FFDA1-369A-5FCE-0000-001057372D00}6548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021675Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:14.727{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-369A-5FCE-0000-001057372D00}6548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021676Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:14.727{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-369A-5FCE-0000-001057372D00}6548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021677Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:14.727{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021678Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:14.727{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021679Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:14.727{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021680Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:14.727{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021681Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:14.727{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-369A-5FCE-0000-001057372D00}6548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021682Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:14.867{7E7FFDA1-369A-5FCE-0000-001057372D00}65486284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021657Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:13.384{7E7FFDA1-3699-5FCE-0000-0010D5332D00}5204C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021658Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:13.383{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3699-5FCE-0000-0010D5332D00}5204C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021659Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:13.383{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-3699-5FCE-0000-0010D5332D00}5204C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021660Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021661Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021662Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021663Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021664Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:13.383{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3699-5FCE-0000-0010D5332D00}5204C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021648Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:12.493{7E7FFDA1-3698-5FCE-0000-00100A322D00}1976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021649Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:12.492{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3698-5FCE-0000-00100A322D00}1976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021650Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:12.492{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-3698-5FCE-0000-00100A322D00}1976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021651Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:12.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021652Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:12.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021653Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:12.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021654Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:12.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021655Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:12.492{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3698-5FCE-0000-00100A322D00}1976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021656Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:12.633{7E7FFDA1-3698-5FCE-0000-00100A322D00}19763856C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021640Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:11.571{7E7FFDA1-3697-5FCE-0000-001056302D00}1840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021641Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:11.571{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3697-5FCE-0000-001056302D00}1840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021642Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:11.571{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-3697-5FCE-0000-001056302D00}1840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021643Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:11.571{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021644Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:11.571{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021645Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:11.571{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021646Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:11.571{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021647Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:05:11.571{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3697-5FCE-0000-001056302D00}1840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021632Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:16.478{7E7FFDA1-3660-5FCE-0000-0010B9232D00}5192C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021633Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:16.477{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3660-5FCE-0000-0010B9232D00}5192C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021634Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:16.477{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-3660-5FCE-0000-0010B9232D00}5192C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021635Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:16.477{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021636Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:16.477{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021637Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:16.477{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021638Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:16.477{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021639Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:16.477{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3660-5FCE-0000-0010B9232D00}5192C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021623Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:15.228{7E7FFDA1-365F-5FCE-0000-00108B212D00}1916C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021624Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:15.227{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-365F-5FCE-0000-00108B212D00}1916C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021625Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:15.227{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-365F-5FCE-0000-00108B212D00}1916C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021626Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:15.227{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021627Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:15.227{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021628Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:15.227{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021629Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:15.227{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021630Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:15.227{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-365F-5FCE-0000-00108B212D00}1916C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021631Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:15.367{7E7FFDA1-365F-5FCE-0000-00108B212D00}19165188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021605Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:14.056{7E7FFDA1-365E-5FCE-0000-0010381E2D00}1240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021606Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:14.055{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-365E-5FCE-0000-0010381E2D00}1240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021607Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:14.055{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-365E-5FCE-0000-0010381E2D00}1240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021608Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:14.055{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021609Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:14.055{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021610Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:14.055{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021611Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:14.055{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021612Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:14.055{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-365E-5FCE-0000-0010381E2D00}1240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021613Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:14.196{7E7FFDA1-365E-5FCE-0000-0010381E2D00}12401056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021614Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:14.728{7E7FFDA1-365E-5FCE-0000-0010EA1F2D00}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021615Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:14.727{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-365E-5FCE-0000-0010EA1F2D00}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021616Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:14.727{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-365E-5FCE-0000-0010EA1F2D00}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021617Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:14.727{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021618Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:14.727{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021619Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:14.727{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021620Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:14.727{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021621Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:14.727{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-365E-5FCE-0000-0010EA1F2D00}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021622Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:14.867{7E7FFDA1-365E-5FCE-0000-0010EA1F2D00}9846952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021597Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:13.384{7E7FFDA1-365D-5FCE-0000-0010651C2D00}4176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021598Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:13.383{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-365D-5FCE-0000-0010651C2D00}4176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021599Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:13.383{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-365D-5FCE-0000-0010651C2D00}4176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021600Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021601Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021602Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021603Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021604Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:13.383{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-365D-5FCE-0000-0010651C2D00}4176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021588Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:12.493{7E7FFDA1-365C-5FCE-0000-0010A01A2D00}5384C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021589Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:12.492{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-365C-5FCE-0000-0010A01A2D00}5384C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021590Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:12.492{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-365C-5FCE-0000-0010A01A2D00}5384C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021591Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:12.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021592Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:12.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021593Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:12.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021594Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:12.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021595Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:12.492{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-365C-5FCE-0000-0010A01A2D00}5384C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021596Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:12.633{7E7FFDA1-365C-5FCE-0000-0010A01A2D00}53846688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021580Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:11.571{7E7FFDA1-365B-5FCE-0000-001011192D00}5448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021581Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:11.571{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-365B-5FCE-0000-001011192D00}5448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021582Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:11.571{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-365B-5FCE-0000-001011192D00}5448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021583Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:11.571{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021584Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:11.571{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021585Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:11.571{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021586Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:11.571{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021587Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:04:11.571{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-365B-5FCE-0000-001011192D00}5448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021551Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:41.743{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021552Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:41.743{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021553Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:41.743{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021554Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:41.743{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021555Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:41.743{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021556Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:41.743{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021557Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:41.743{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021558Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:41.743{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021559Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:41.743{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021560Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:41.743{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021561Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:41.743{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021562Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:41.743{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021563Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:41.743{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021564Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:41.743{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021565Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:41.743{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021566Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:41.743{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021567Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:41.743{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021568Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:41.743{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021569Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:41.743{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021570Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:41.743{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021571Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:41.743{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021572Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:41.743{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021573Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:41.743{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021574Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:41.743{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021575Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:41.743{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021576Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:41.743{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021577Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:41.743{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021578Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:41.743{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021579Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:41.743{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000021548Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 14:03:19.289{7E7FFDA1-18C1-5FCE-0000-001019C00200}3100C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\A47110B2-D436-47F8-BEA1-61CCEBF6C04E\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_A47110B2-D436-47F8-BEA1-61CCEBF6C04E.XML 13241300x800000000000000021549Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 14:03:19.289{7E7FFDA1-18C1-5FCE-0000-001019C00200}3100C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\A47110B2-D436-47F8-BEA1-61CCEBF6C04E\Config SourceDWORD (0x00000001) 13241300x800000000000000021550Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 14:03:19.305{7E7FFDA1-18C1-5FCE-0000-001019C00200}3100C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\9D191D6C-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_9D191D6C-0000-0000-0000-100000000000.XML 154100x800000000000000021540Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:16.463{7E7FFDA1-3624-5FCE-0000-0010830A2D00}2432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021541Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:16.461{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3624-5FCE-0000-0010830A2D00}2432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021542Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:16.461{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-3624-5FCE-0000-0010830A2D00}2432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021543Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:16.461{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021544Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:16.461{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021545Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:16.461{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021546Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:16.461{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021547Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:16.461{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3624-5FCE-0000-0010830A2D00}2432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021531Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:15.228{7E7FFDA1-3623-5FCE-0000-00109E082D00}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021532Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:15.227{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3623-5FCE-0000-00109E082D00}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021533Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:15.227{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-3623-5FCE-0000-00109E082D00}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021534Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:15.227{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021535Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:15.227{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021536Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:15.227{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021537Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:15.227{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021538Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:15.227{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3623-5FCE-0000-00109E082D00}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021539Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:15.368{7E7FFDA1-3623-5FCE-0000-00109E082D00}6740108C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021513Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:14.056{7E7FFDA1-3622-5FCE-0000-0010E7042D00}6792C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021514Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:14.055{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3622-5FCE-0000-0010E7042D00}6792C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021515Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:14.055{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-3622-5FCE-0000-0010E7042D00}6792C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021516Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:14.055{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021517Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:14.055{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021518Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:14.055{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021519Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:14.055{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021520Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:14.055{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3622-5FCE-0000-0010E7042D00}6792C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021521Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:14.196{7E7FFDA1-3622-5FCE-0000-0010E7042D00}67922572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021522Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:14.572{7E7FFDA1-3622-5FCE-0000-001093062D00}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021523Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:14.571{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3622-5FCE-0000-001093062D00}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021524Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:14.571{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-3622-5FCE-0000-001093062D00}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021525Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:14.571{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021526Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:14.571{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021527Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:14.571{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021528Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:14.571{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021529Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:14.571{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3622-5FCE-0000-001093062D00}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021530Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:14.711{7E7FFDA1-3622-5FCE-0000-001093062D00}67084444C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021505Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:13.384{7E7FFDA1-3621-5FCE-0000-001011032D00}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021506Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:13.383{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3621-5FCE-0000-001011032D00}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021507Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:13.383{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-3621-5FCE-0000-001011032D00}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021508Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021509Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021510Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021511Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021512Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:13.383{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3621-5FCE-0000-001011032D00}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021496Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:12.493{7E7FFDA1-3620-5FCE-0000-001062012D00}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021497Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:12.493{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3620-5FCE-0000-001062012D00}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021498Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:12.493{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-3620-5FCE-0000-001062012D00}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021499Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:12.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021500Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:12.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021501Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:12.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021502Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:12.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021503Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:12.493{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3620-5FCE-0000-001062012D00}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021504Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:12.633{7E7FFDA1-3620-5FCE-0000-001062012D00}62644544C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021488Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:11.556{7E7FFDA1-361F-5FCE-0000-0010B6FF2C00}2976C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021489Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:11.555{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-361F-5FCE-0000-0010B6FF2C00}2976C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021490Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:11.555{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-361F-5FCE-0000-0010B6FF2C00}2976C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021491Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:11.555{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021492Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:11.555{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021493Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:11.555{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021494Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:11.555{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021495Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:03:11.555{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-361F-5FCE-0000-0010B6FF2C00}2976C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021480Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:16.509{7E7FFDA1-35E8-5FCE-0000-00106CE32C00}6592C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021481Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:16.508{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-35E8-5FCE-0000-00106CE32C00}6592C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021482Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:16.508{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-35E8-5FCE-0000-00106CE32C00}6592C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021483Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:16.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021484Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:16.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021485Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:16.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021486Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:16.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021487Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:16.508{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-35E8-5FCE-0000-00106CE32C00}6592C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021471Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:15.369{7E7FFDA1-35E7-5FCE-0000-0010A3E12C00}6872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021472Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:15.368{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-35E7-5FCE-0000-0010A3E12C00}6872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021473Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:15.368{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-35E7-5FCE-0000-0010A3E12C00}6872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021474Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:15.368{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021475Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:15.368{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021476Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:15.368{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021477Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:15.368{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021478Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:15.368{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-35E7-5FCE-0000-0010A3E12C00}6872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021479Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:15.508{7E7FFDA1-35E7-5FCE-0000-0010A3E12C00}68725836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021454Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:14.056{7E7FFDA1-35E6-5FCE-0000-0010DFDD2C00}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021455Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:14.055{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-35E6-5FCE-0000-0010DFDD2C00}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021456Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:14.055{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-35E6-5FCE-0000-0010DFDD2C00}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021457Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:14.055{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021458Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:14.055{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021459Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:14.055{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021460Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:14.055{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021461Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:14.055{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-35E6-5FCE-0000-0010DFDD2C00}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021462Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:14.728{7E7FFDA1-35E6-5FCE-0000-00107CDF2C00}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021463Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:14.727{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-35E6-5FCE-0000-00107CDF2C00}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021464Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:14.727{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-35E6-5FCE-0000-00107CDF2C00}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021465Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:14.727{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021466Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:14.727{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021467Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:14.727{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021468Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:14.727{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021469Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:14.727{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-35E6-5FCE-0000-00107CDF2C00}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021470Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:14.868{7E7FFDA1-35E6-5FCE-0000-00107CDF2C00}53324344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021445Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:13.384{7E7FFDA1-35E5-5FCE-0000-00101BDC2C00}6700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021446Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:13.383{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-35E5-5FCE-0000-00101BDC2C00}6700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021447Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:13.383{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-35E5-5FCE-0000-00101BDC2C00}6700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021448Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021449Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021450Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021451Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021452Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:13.383{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-35E5-5FCE-0000-00101BDC2C00}6700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021453Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:13.524{7E7FFDA1-35E5-5FCE-0000-00101BDC2C00}67004956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021436Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:12.478{7E7FFDA1-35E4-5FCE-0000-00104FDA2C00}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021437Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:12.477{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-35E4-5FCE-0000-00104FDA2C00}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021438Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:12.477{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-35E4-5FCE-0000-00104FDA2C00}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021439Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:12.477{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021440Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:12.477{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021441Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:12.477{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021442Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:12.477{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021443Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:12.477{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-35E4-5FCE-0000-00104FDA2C00}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021444Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:12.618{7E7FFDA1-35E4-5FCE-0000-00104FDA2C00}58205440C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021428Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:11.556{7E7FFDA1-35E3-5FCE-0000-00109ED82C00}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021429Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:11.555{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-35E3-5FCE-0000-00109ED82C00}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021430Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:11.555{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-35E3-5FCE-0000-00109ED82C00}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021431Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:11.555{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021432Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:11.555{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021433Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:11.555{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021434Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:11.555{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021435Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:02:11.555{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-35E3-5FCE-0000-00109ED82C00}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021427Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:40.727{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}6125808C:\Windows\system32\svchost.exe{7E7FFDA1-18B1-5FCE-0000-001002BA0000}1152C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021419Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:16.509{7E7FFDA1-35AC-5FCE-0000-001052CC2C00}2052C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021420Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:16.508{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-35AC-5FCE-0000-001052CC2C00}2052C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021421Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:16.508{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-35AC-5FCE-0000-001052CC2C00}2052C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021422Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:16.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021423Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:16.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021424Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:16.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021425Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:16.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021426Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:16.508{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-35AC-5FCE-0000-001052CC2C00}2052C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021410Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:15.400{7E7FFDA1-35AB-5FCE-0000-0010A5CA2C00}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021411Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:15.399{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-35AB-5FCE-0000-0010A5CA2C00}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021412Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:15.399{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-35AB-5FCE-0000-0010A5CA2C00}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021413Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:15.399{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021414Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:15.399{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021415Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:15.399{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021416Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:15.399{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021417Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:15.399{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-35AB-5FCE-0000-0010A5CA2C00}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021418Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:15.540{7E7FFDA1-35AB-5FCE-0000-0010A5CA2C00}59401912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021393Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:14.056{7E7FFDA1-35AA-5FCE-0000-00104EC62C00}2188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021394Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:14.055{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-35AA-5FCE-0000-00104EC62C00}2188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021395Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:14.055{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-35AA-5FCE-0000-00104EC62C00}2188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021396Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:14.055{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021397Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:14.055{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021398Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:14.055{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021399Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:14.055{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021400Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:14.055{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-35AA-5FCE-0000-00104EC62C00}2188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021401Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:14.728{7E7FFDA1-35AA-5FCE-0000-001098C82C00}2008C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021402Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:14.727{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-35AA-5FCE-0000-001098C82C00}2008C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021403Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:14.727{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-35AA-5FCE-0000-001098C82C00}2008C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021404Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:14.727{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021405Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:14.727{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021406Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:14.727{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021407Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:14.727{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021408Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:14.727{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-35AA-5FCE-0000-001098C82C00}2008C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021409Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:14.868{7E7FFDA1-35AA-5FCE-0000-001098C82C00}20081472C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021384Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:13.384{7E7FFDA1-35A9-5FCE-0000-00108DC42C00}1392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021385Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:13.383{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-35A9-5FCE-0000-00108DC42C00}1392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021386Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:13.383{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-35A9-5FCE-0000-00108DC42C00}1392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021387Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021388Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021389Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021390Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021391Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:13.383{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-35A9-5FCE-0000-00108DC42C00}1392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021392Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:13.524{7E7FFDA1-35A9-5FCE-0000-00108DC42C00}13921448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021375Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:12.478{7E7FFDA1-35A8-5FCE-0000-0010C7C22C00}628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021376Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:12.477{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-35A8-5FCE-0000-0010C7C22C00}628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021377Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:12.477{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-35A8-5FCE-0000-0010C7C22C00}628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021378Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:12.477{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021379Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:12.477{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021380Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:12.477{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021381Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:12.477{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021382Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:12.477{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-35A8-5FCE-0000-0010C7C22C00}628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021383Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:12.618{7E7FFDA1-35A8-5FCE-0000-0010C7C22C00}6286372C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021367Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:11.556{7E7FFDA1-35A7-5FCE-0000-001012C12C00}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021368Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:11.555{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-35A7-5FCE-0000-001012C12C00}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021369Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:11.555{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-35A7-5FCE-0000-001012C12C00}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021370Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:11.555{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021371Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:11.555{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021372Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:11.555{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021373Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:11.555{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021374Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:01:11.555{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-35A7-5FCE-0000-001012C12C00}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000021357Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 14:00:58.383{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d6cca9-0xc4f8c06a) 13241300x800000000000000021358Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 14:00:58.383{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d6cca1-0x6334586a) 13241300x800000000000000021359Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 14:00:58.383{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d6cc99-0x016ff06a) 13241300x800000000000000021360Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 14:00:58.383{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00710c1f) 13241300x800000000000000021361Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 14:00:58.383{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000021362Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 14:00:58.383{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d6cca9-0xc4f8c06a) 13241300x800000000000000021363Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 14:00:58.383{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d6cca1-0x6334586a) 13241300x800000000000000021364Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 14:00:58.383{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d6cc99-0x016ff06a) 13241300x800000000000000021365Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 14:00:58.383{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00710c1f) 13241300x800000000000000021366Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 14:00:58.383{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 10341000x800000000000000021356Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:39.837{7E7FFDA1-18AF-5FCE-0000-001027540000}8566336C:\Windows\system32\lsass.exe{7E7FFDA1-18AE-5FCE-0000-0010EB030000}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31819|C:\Windows\system32\lsasrv.dll+2f177|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000021353Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:37.415{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18B1-5FCE-0000-0010CBF20000}1588C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021354Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:37.415{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18B1-5FCE-0000-0010CBF20000}1588C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021355Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:37.415{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18B1-5FCE-0000-0010CBF20000}1588C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021345Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:16.509{7E7FFDA1-3570-5FCE-0000-0010CFAE2C00}2500C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021346Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:16.508{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3570-5FCE-0000-0010CFAE2C00}2500C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021347Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:16.508{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-3570-5FCE-0000-0010CFAE2C00}2500C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021348Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:16.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021349Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:16.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021350Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:16.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021351Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:16.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021352Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:16.508{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3570-5FCE-0000-0010CFAE2C00}2500C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021336Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:15.353{7E7FFDA1-356F-5FCE-0000-0010EBAC2C00}2844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021337Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:15.352{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-356F-5FCE-0000-0010EBAC2C00}2844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021338Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:15.352{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-356F-5FCE-0000-0010EBAC2C00}2844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021339Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:15.352{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021340Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:15.352{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021341Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:15.352{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021342Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:15.352{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021343Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:15.352{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-356F-5FCE-0000-0010EBAC2C00}2844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021344Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:15.493{7E7FFDA1-356F-5FCE-0000-0010EBAC2C00}28445424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021319Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:14.056{7E7FFDA1-356E-5FCE-0000-001021A92C00}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021320Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:14.055{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-356E-5FCE-0000-001021A92C00}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021321Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:14.055{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-356E-5FCE-0000-001021A92C00}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021322Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:14.055{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021323Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:14.055{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021324Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:14.055{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021325Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:14.055{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021326Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:14.055{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-356E-5FCE-0000-001021A92C00}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021327Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:14.697{7E7FFDA1-356E-5FCE-0000-0010F1AA2C00}6852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021328Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:14.696{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-356E-5FCE-0000-0010F1AA2C00}6852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021329Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:14.696{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-356E-5FCE-0000-0010F1AA2C00}6852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021330Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:14.696{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021331Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:14.696{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021332Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:14.696{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021333Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:14.696{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021334Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:14.696{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-356E-5FCE-0000-0010F1AA2C00}6852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021335Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:14.837{7E7FFDA1-356E-5FCE-0000-0010F1AA2C00}68521864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021310Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:13.384{7E7FFDA1-356D-5FCE-0000-00108FA72C00}6992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021311Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:13.383{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-356D-5FCE-0000-00108FA72C00}6992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021312Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:13.383{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-356D-5FCE-0000-00108FA72C00}6992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021313Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021314Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021315Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021316Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:13.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021317Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:13.383{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-356D-5FCE-0000-00108FA72C00}6992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021318Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:13.524{7E7FFDA1-356D-5FCE-0000-00108FA72C00}69924996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021301Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:12.478{7E7FFDA1-356C-5FCE-0000-0010CDA52C00}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021302Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:12.477{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-356C-5FCE-0000-0010CDA52C00}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021303Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:12.477{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-356C-5FCE-0000-0010CDA52C00}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021304Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:12.477{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021305Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:12.477{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021306Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:12.477{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021307Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:12.477{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021308Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:12.477{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-356C-5FCE-0000-0010CDA52C00}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021309Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:12.618{7E7FFDA1-356C-5FCE-0000-0010CDA52C00}69284388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021293Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:11.556{7E7FFDA1-356B-5FCE-0000-001014A42C00}5180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021294Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:11.555{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-356B-5FCE-0000-001014A42C00}5180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021295Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:11.555{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-356B-5FCE-0000-001014A42C00}5180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021296Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:11.555{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021297Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:11.555{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021298Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:11.555{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021299Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:11.555{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021300Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 14:00:11.555{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-356B-5FCE-0000-001014A42C00}5180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021264Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:44.509{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021265Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:44.509{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021266Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:44.509{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021267Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:44.509{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021268Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:44.509{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021269Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:44.509{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021270Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:44.509{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021271Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:44.509{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021272Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:44.509{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021273Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:44.509{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021274Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:44.509{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021275Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:44.509{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021276Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:44.509{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021277Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:44.509{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021278Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:44.509{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021279Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:44.509{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021280Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:44.509{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021281Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:44.509{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021282Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:44.509{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021283Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:44.509{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021284Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:44.509{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021285Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:44.509{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021286Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:44.509{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021287Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:44.509{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021288Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:44.509{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021289Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:44.509{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021290Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:44.509{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021291Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:44.509{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021292Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:44.509{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021256Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:16.509{7E7FFDA1-3534-5FCE-0000-0010B1962C00}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021257Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:16.509{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3534-5FCE-0000-0010B1962C00}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021258Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:16.509{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-3534-5FCE-0000-0010B1962C00}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021259Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:16.509{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021260Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:16.509{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021261Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:16.509{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021262Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:16.509{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021263Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:16.509{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3534-5FCE-0000-0010B1962C00}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021246Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:14.993{7E7FFDA1-3532-5FCE-0000-0010BC922C00}68086824C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021247Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:15.353{7E7FFDA1-3533-5FCE-0000-0010F2942C00}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021248Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:15.352{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3533-5FCE-0000-0010F2942C00}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021249Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:15.352{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-3533-5FCE-0000-0010F2942C00}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021250Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:15.352{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021251Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:15.352{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021252Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:15.352{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021253Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:15.352{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021254Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:15.352{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3533-5FCE-0000-0010F2942C00}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021255Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:15.493{7E7FFDA1-3533-5FCE-0000-0010F2942C00}59804400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021229Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:14.181{7E7FFDA1-3532-5FCE-0000-001013912C00}2476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021230Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:14.180{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3532-5FCE-0000-001013912C00}2476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021231Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:14.180{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-3532-5FCE-0000-001013912C00}2476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021232Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:14.180{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021233Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:14.180{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021234Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:14.180{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021235Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:14.180{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021236Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:14.180{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3532-5FCE-0000-001013912C00}2476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021237Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:14.321{7E7FFDA1-3532-5FCE-0000-001013912C00}24766948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021238Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:14.853{7E7FFDA1-3532-5FCE-0000-0010BC922C00}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021239Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:14.852{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3532-5FCE-0000-0010BC922C00}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021240Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:14.852{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-3532-5FCE-0000-0010BC922C00}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021241Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:14.852{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021242Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:14.852{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021243Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:14.852{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021244Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:14.852{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021245Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:14.852{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3532-5FCE-0000-0010BC922C00}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021221Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:13.509{7E7FFDA1-3531-5FCE-0000-0010638F2C00}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021222Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:13.509{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3531-5FCE-0000-0010638F2C00}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021223Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:13.509{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-3531-5FCE-0000-0010638F2C00}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021224Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:13.509{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021225Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:13.509{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021226Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:13.509{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021227Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:13.509{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021228Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:13.509{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3531-5FCE-0000-0010638F2C00}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021212Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:12.462{7E7FFDA1-3530-5FCE-0000-0010968D2C00}4976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021213Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:12.462{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3530-5FCE-0000-0010968D2C00}4976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021214Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:12.462{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-3530-5FCE-0000-0010968D2C00}4976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021215Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:12.462{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021216Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:12.462{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021217Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:12.462{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021218Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:12.462{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021219Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:12.462{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3530-5FCE-0000-0010968D2C00}4976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021220Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:12.602{7E7FFDA1-3530-5FCE-0000-0010968D2C00}49761104C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021204Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:11.556{7E7FFDA1-352F-5FCE-0000-0010E68B2C00}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021205Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:11.555{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-352F-5FCE-0000-0010E68B2C00}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021206Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:11.555{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-352F-5FCE-0000-0010E68B2C00}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021207Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:11.555{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021208Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:11.555{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021209Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:11.555{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021210Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:11.555{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021211Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:59:11.555{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-352F-5FCE-0000-0010E68B2C00}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000021201Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:58:18.704{7E7FFDA1-18C1-5FCE-0000-001019C00200}3100C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\A47110B2-D436-47F8-BEA1-61CCEBF6C04E\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_A47110B2-D436-47F8-BEA1-61CCEBF6C04E.XML 13241300x800000000000000021202Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:58:18.704{7E7FFDA1-18C1-5FCE-0000-001019C00200}3100C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\A47110B2-D436-47F8-BEA1-61CCEBF6C04E\Config SourceDWORD (0x00000001) 13241300x800000000000000021203Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:58:18.704{7E7FFDA1-18C1-5FCE-0000-001019C00200}3100C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\9D191D6C-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_9D191D6C-0000-0000-0000-100000000000.XML 154100x800000000000000021193Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:16.509{7E7FFDA1-34F8-5FCE-0000-0010257D2C00}5540C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021194Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:16.509{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-34F8-5FCE-0000-0010257D2C00}5540C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021195Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:16.509{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-34F8-5FCE-0000-0010257D2C00}5540C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021196Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:16.509{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021197Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:16.509{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021198Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:16.509{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021199Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:16.509{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021200Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:16.509{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-34F8-5FCE-0000-0010257D2C00}5540C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021183Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:15.009{7E7FFDA1-34F6-5FCE-0000-001049792C00}60525212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021184Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:15.353{7E7FFDA1-34F7-5FCE-0000-0010637B2C00}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021185Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:15.352{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-34F7-5FCE-0000-0010637B2C00}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021186Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:15.352{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-34F7-5FCE-0000-0010637B2C00}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021187Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:15.352{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021188Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:15.352{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021189Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:15.352{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021190Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:15.352{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021191Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:15.352{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-34F7-5FCE-0000-0010637B2C00}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021192Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:15.493{7E7FFDA1-34F7-5FCE-0000-0010637B2C00}24923032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021166Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:14.181{7E7FFDA1-34F6-5FCE-0000-0010AA772C00}1116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021167Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:14.181{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-34F6-5FCE-0000-0010AA772C00}1116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021168Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:14.181{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-34F6-5FCE-0000-0010AA772C00}1116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021169Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:14.181{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021170Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:14.181{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021171Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:14.181{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021172Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:14.181{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021173Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:14.181{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-34F6-5FCE-0000-0010AA772C00}1116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021174Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:14.321{7E7FFDA1-34F6-5FCE-0000-0010AA772C00}11165304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021175Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:14.853{7E7FFDA1-34F6-5FCE-0000-001049792C00}6052C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021176Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:14.852{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-34F6-5FCE-0000-001049792C00}6052C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021177Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:14.852{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-34F6-5FCE-0000-001049792C00}6052C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021178Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:14.852{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021179Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:14.852{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021180Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:14.852{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021181Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:14.852{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021182Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:14.852{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-34F6-5FCE-0000-001049792C00}6052C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021158Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:13.509{7E7FFDA1-34F5-5FCE-0000-0010EF752C00}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021159Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:13.509{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-34F5-5FCE-0000-0010EF752C00}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021160Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:13.509{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-34F5-5FCE-0000-0010EF752C00}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021161Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:13.509{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021162Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:13.509{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021163Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:13.509{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021164Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:13.509{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021165Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:13.509{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-34F5-5FCE-0000-0010EF752C00}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021149Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:12.447{7E7FFDA1-34F4-5FCE-0000-001023742C00}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021150Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:12.446{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-34F4-5FCE-0000-001023742C00}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021151Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:12.446{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-34F4-5FCE-0000-001023742C00}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021152Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:12.446{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021153Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:12.446{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021154Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:12.446{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021155Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:12.446{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021156Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:12.446{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-34F4-5FCE-0000-001023742C00}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021157Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:12.587{7E7FFDA1-34F4-5FCE-0000-001023742C00}13005224C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021141Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:11.541{7E7FFDA1-34F3-5FCE-0000-00106C722C00}3712C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021142Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:11.540{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-34F3-5FCE-0000-00106C722C00}3712C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021143Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:11.540{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-34F3-5FCE-0000-00106C722C00}3712C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021144Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:11.540{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021145Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:11.540{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021146Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:11.540{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021147Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:11.540{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021148Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:58:11.540{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-34F3-5FCE-0000-00106C722C00}3712C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021112Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:43.493{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021113Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:43.493{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021114Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:43.493{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021115Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:43.493{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021116Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:43.493{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021117Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:43.493{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021118Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:43.493{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021119Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:43.493{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021120Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:43.493{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021121Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:43.493{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021122Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:43.493{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021123Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:43.493{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021124Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:43.493{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021125Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:43.493{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021126Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:43.493{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021127Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:43.493{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021128Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:43.493{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021129Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:43.493{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021130Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:43.493{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021131Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:43.493{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021132Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:43.493{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021133Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:43.493{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021134Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:43.493{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021135Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:43.493{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021136Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:43.493{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021137Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:43.493{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021138Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:43.493{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021139Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:43.493{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021140Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:43.493{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000021098Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:57:39.384{7E7FFDA1-18B1-5FCE-0000-00104CD50000}1368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\RegisteredSinceBootDWORD (0x00000001) 10341000x800000000000000021099Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:39.384{7E7FFDA1-18AF-5FCE-0000-001027540000}8566336C:\Windows\system32\lsass.exe{7E7FFDA1-18B1-5FCE-0000-00104CD50000}1368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31375|C:\Windows\system32\lsasrv.dll+2f20b|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 13241300x800000000000000021100Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:57:39.384{7E7FFDA1-18B1-5FCE-0000-00104CD50000}1368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\Hostnamewin-dc-633 13241300x800000000000000021101Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:57:39.384{7E7FFDA1-18B1-5FCE-0000-00104CD50000}1368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\AdapterDomainName(Empty) 13241300x800000000000000021102Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:57:39.384{7E7FFDA1-18B1-5FCE-0000-00104CD50000}1368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\PrimaryDomainNameattackrange.local 13241300x800000000000000021103Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:57:39.384{7E7FFDA1-18B1-5FCE-0000-00104CD50000}1368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\HostAddrsBinary Data 13241300x800000000000000021104Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:57:39.384{7E7FFDA1-18B1-5FCE-0000-00104CD50000}1368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\DnsServersBinary Data 13241300x800000000000000021105Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:57:39.384{7E7FFDA1-18B1-5FCE-0000-00104CD50000}1368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\SentUpdateToIpBinary Data 13241300x800000000000000021106Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:57:39.384{7E7FFDA1-18B1-5FCE-0000-00104CD50000}1368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\SentPriUpdateToIpBinary Data 13241300x800000000000000021107Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:57:39.384{7E7FFDA1-18B1-5FCE-0000-00104CD50000}1368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\TtlDWORD (0x000004b0) 13241300x800000000000000021108Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:57:39.384{7E7FFDA1-18B1-5FCE-0000-00104CD50000}1368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\FlagsDWORD (0x00000002) 13241300x800000000000000021109Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:57:39.384{7E7FFDA1-18B1-5FCE-0000-00104CD50000}1368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\CompartmentIdDWORD (0x00000001) 13241300x800000000000000021110Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:57:39.384{7E7FFDA1-18B1-5FCE-0000-00104CD50000}1368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\StaleAdapterDWORD (0x00000000) 13241300x800000000000000021111Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:57:39.384{7E7FFDA1-18B1-5FCE-0000-00104CD50000}1368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\RegisteredSinceBootDWORD (0x00000001) 10341000x800000000000000021084Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:37.118{7E7FFDA1-18B1-5FCE-0000-001002BA0000}1152844C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-001019C00200}3100C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021085Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:37.118{7E7FFDA1-18B1-5FCE-0000-001002BA0000}1152844C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-001019C00200}3100C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000021086Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:57:37.352{7E7FFDA1-18B1-5FCE-0000-001014C50000}1212C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\DhcpInterfaceOptionsBinary Data 13241300x800000000000000021087Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:57:37.352{7E7FFDA1-18B1-5FCE-0000-001014C50000}1212C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\DhcpIPAddress10.0.1.14 13241300x800000000000000021088Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:57:37.352{7E7FFDA1-18B1-5FCE-0000-001014C50000}1212C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\DhcpSubnetMask255.255.255.0 13241300x800000000000000021089Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:57:37.352{7E7FFDA1-18B1-5FCE-0000-001014C50000}1212C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\DhcpServer10.0.1.1 13241300x800000000000000021090Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:57:37.352{7E7FFDA1-18B1-5FCE-0000-001014C50000}1212C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\LeaseDWORD (0x00000e10) 13241300x800000000000000021091Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:57:37.352{7E7FFDA1-18B1-5FCE-0000-001014C50000}1212C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\LeaseObtainedTimeDWORD (0x5fce34d1) 13241300x800000000000000021092Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:57:37.352{7E7FFDA1-18B1-5FCE-0000-001014C50000}1212C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\T1DWORD (0x5fce3bd9) 13241300x800000000000000021093Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:57:37.352{7E7FFDA1-18B1-5FCE-0000-001014C50000}1212C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\T2DWORD (0x5fce411f) 13241300x800000000000000021094Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:57:37.352{7E7FFDA1-18B1-5FCE-0000-001014C50000}1212C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\LeaseTerminatesTimeDWORD (0x5fce42e1) 13241300x800000000000000021095Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:57:37.352{7E7FFDA1-18B1-5FCE-0000-001014C50000}1212C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\AddressTypeDWORD (0x00000000) 13241300x800000000000000021096Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:57:37.352{7E7FFDA1-18B1-5FCE-0000-001014C50000}1212C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\IsServerNapAwareDWORD (0x00000000) 13241300x800000000000000021097Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:57:37.352{7E7FFDA1-18B1-5FCE-0000-001014C50000}1212C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 10341000x800000000000000021083Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:35.524{7E7FFDA1-18AF-5FCE-0000-001027540000}8566336C:\Windows\system32\lsass.exe{7E7FFDA1-18AE-5FCE-0000-0010EB030000}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31819|C:\Windows\system32\lsasrv.dll+2f177|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 154100x800000000000000021075Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:16.494{7E7FFDA1-34BC-5FCE-0000-00101B5F2C00}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021076Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:16.493{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-34BC-5FCE-0000-00101B5F2C00}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021077Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:16.493{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-34BC-5FCE-0000-00101B5F2C00}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021078Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:16.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021079Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:16.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021080Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:16.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021081Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:16.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021082Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:16.493{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-34BC-5FCE-0000-00101B5F2C00}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021066Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:15.337{7E7FFDA1-34BB-5FCE-0000-0010435D2C00}6188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021067Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:15.337{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-34BB-5FCE-0000-0010435D2C00}6188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021068Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:15.337{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-34BB-5FCE-0000-0010435D2C00}6188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021069Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:15.337{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021070Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:15.337{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021071Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:15.337{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021072Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:15.337{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021073Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:15.337{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-34BB-5FCE-0000-0010435D2C00}6188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021074Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:15.477{7E7FFDA1-34BB-5FCE-0000-0010435D2C00}61885036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021048Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:14.165{7E7FFDA1-34BA-5FCE-0000-00108C592C00}4968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021049Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:14.165{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-34BA-5FCE-0000-00108C592C00}4968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021050Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:14.165{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-34BA-5FCE-0000-00108C592C00}4968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021051Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:14.165{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021052Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:14.165{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021053Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:14.165{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021054Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:14.165{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021055Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:14.165{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-34BA-5FCE-0000-00108C592C00}4968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021056Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:14.305{7E7FFDA1-34BA-5FCE-0000-00108C592C00}49685744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021057Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:14.837{7E7FFDA1-34BA-5FCE-0000-0010385B2C00}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021058Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:14.837{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-34BA-5FCE-0000-0010385B2C00}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021059Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:14.837{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-34BA-5FCE-0000-0010385B2C00}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021060Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:14.837{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021061Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:14.837{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021062Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:14.837{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021063Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:14.837{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021064Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:14.837{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-34BA-5FCE-0000-0010385B2C00}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021065Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:14.977{7E7FFDA1-34BA-5FCE-0000-0010385B2C00}65887144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021040Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:13.494{7E7FFDA1-34B9-5FCE-0000-0010DE572C00}6988C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021041Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:13.493{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-34B9-5FCE-0000-0010DE572C00}6988C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021042Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:13.493{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-34B9-5FCE-0000-0010DE572C00}6988C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021043Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:13.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021044Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:13.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021045Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:13.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021046Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:13.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021047Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:13.493{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-34B9-5FCE-0000-0010DE572C00}6988C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021031Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:12.493{7E7FFDA1-34B8-5FCE-0000-001012562C00}6920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021032Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:12.493{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-34B8-5FCE-0000-001012562C00}6920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021033Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:12.493{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-34B8-5FCE-0000-001012562C00}6920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021034Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:12.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021035Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:12.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021036Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:12.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021037Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:12.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021038Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:12.493{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-34B8-5FCE-0000-001012562C00}6920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021039Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:12.633{7E7FFDA1-34B8-5FCE-0000-001012562C00}69206120C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021023Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:11.509{7E7FFDA1-34B7-5FCE-0000-001058542C00}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021024Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:11.508{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-34B7-5FCE-0000-001058542C00}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021025Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:11.508{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-34B7-5FCE-0000-001058542C00}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021026Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:11.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021027Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:11.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021028Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:11.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021029Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:11.508{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021030Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:57:11.508{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-34B7-5FCE-0000-001058542C00}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021015Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:16.493{7E7FFDA1-3480-5FCE-0000-001074482C00}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021016Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:16.493{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3480-5FCE-0000-001074482C00}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021017Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:16.493{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-3480-5FCE-0000-001074482C00}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021018Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:16.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021019Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:16.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021020Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:16.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021021Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:16.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021022Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:16.493{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3480-5FCE-0000-001074482C00}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021006Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:15.337{7E7FFDA1-347F-5FCE-0000-0010B5462C00}2140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021007Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:15.336{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-347F-5FCE-0000-0010B5462C00}2140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021008Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:15.336{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-347F-5FCE-0000-0010B5462C00}2140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021009Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:15.336{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021010Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:15.336{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021011Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:15.336{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021012Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:15.336{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021013Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:15.336{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-347F-5FCE-0000-0010B5462C00}2140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021014Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:15.477{7E7FFDA1-347F-5FCE-0000-0010B5462C00}21407152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020988Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:14.165{7E7FFDA1-347E-5FCE-0000-0010D5422C00}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020989Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:14.164{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-347E-5FCE-0000-0010D5422C00}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020990Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:14.164{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-347E-5FCE-0000-0010D5422C00}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020991Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:14.164{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020992Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:14.164{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020993Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:14.164{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020994Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:14.164{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020995Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:14.164{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-347E-5FCE-0000-0010D5422C00}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020996Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:14.305{7E7FFDA1-347E-5FCE-0000-0010D5422C00}36886076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020997Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:14.837{7E7FFDA1-347E-5FCE-0000-001090442C00}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020998Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:14.836{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-347E-5FCE-0000-001090442C00}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020999Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:14.836{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-347E-5FCE-0000-001090442C00}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021000Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:14.836{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021001Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:14.836{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021002Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:14.836{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021003Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:14.836{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021004Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:14.836{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-347E-5FCE-0000-001090442C00}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021005Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:14.977{7E7FFDA1-347E-5FCE-0000-001090442C00}52086232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020980Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:13.493{7E7FFDA1-347D-5FCE-0000-001023412C00}2796C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020981Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:13.492{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-347D-5FCE-0000-001023412C00}2796C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020982Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:13.492{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-347D-5FCE-0000-001023412C00}2796C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020983Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:13.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020984Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:13.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020985Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:13.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020986Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:13.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020987Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:13.492{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-347D-5FCE-0000-001023412C00}2796C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020971Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:12.493{7E7FFDA1-347C-5FCE-0000-0010563F2C00}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020972Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:12.493{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-347C-5FCE-0000-0010563F2C00}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020973Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:12.493{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-347C-5FCE-0000-0010563F2C00}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020974Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:12.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020975Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:12.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020976Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:12.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020977Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:12.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020978Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:12.493{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-347C-5FCE-0000-0010563F2C00}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020979Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:12.633{7E7FFDA1-347C-5FCE-0000-0010563F2C00}54763560C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020963Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:11.493{7E7FFDA1-347B-5FCE-0000-0010A73D2C00}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020964Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:11.492{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-347B-5FCE-0000-0010A73D2C00}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020965Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:11.492{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-347B-5FCE-0000-0010A73D2C00}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020966Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:11.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020967Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:11.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020968Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:11.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020969Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:11.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020970Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:56:11.492{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-347B-5FCE-0000-0010A73D2C00}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000020953Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:55:58.367{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d6cca9-0x1228626a) 13241300x800000000000000020954Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:55:58.367{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d6cca0-0xb063fa6a) 13241300x800000000000000020955Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:55:58.367{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d6cc98-0x4e9f926a) 13241300x800000000000000020956Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:55:58.367{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x006c783f) 13241300x800000000000000020957Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:55:58.367{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000020958Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:55:58.367{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d6cca9-0x1228626a) 13241300x800000000000000020959Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:55:58.367{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d6cca0-0xb063fa6a) 13241300x800000000000000020960Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:55:58.367{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d6cc98-0x4e9f926a) 13241300x800000000000000020961Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:55:58.367{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x006c783f) 13241300x800000000000000020962Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:55:58.367{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 10341000x800000000000000020924Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:42.477{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020925Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:42.477{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020926Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:42.477{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020927Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:42.477{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020928Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:42.477{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020929Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:42.477{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020930Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:42.477{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020931Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:42.477{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020932Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:42.477{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020933Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:42.477{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020934Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:42.477{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020935Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:42.477{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020936Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:42.477{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020937Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:42.477{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020938Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:42.477{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020939Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:42.477{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020940Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:42.477{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020941Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:42.477{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020942Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:42.477{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020943Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:42.477{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020944Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:42.477{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020945Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:42.477{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020946Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:42.477{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020947Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:42.477{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020948Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:42.477{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020949Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:42.477{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020950Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:42.477{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020951Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:42.477{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020952Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:42.477{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020923Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:39.695{7E7FFDA1-18AF-5FCE-0000-001027540000}856896C:\Windows\system32\lsass.exe{7E7FFDA1-18AE-5FCE-0000-0010EB030000}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31819|C:\Windows\system32\lsasrv.dll+2f177|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000020920Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:37.399{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18B1-5FCE-0000-0010CBF20000}1588C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020921Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:37.399{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18B1-5FCE-0000-0010CBF20000}1588C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020922Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:37.399{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18B1-5FCE-0000-0010CBF20000}1588C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020912Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:16.493{7E7FFDA1-3444-5FCE-0000-0010A42B2C00}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020913Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:16.492{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3444-5FCE-0000-0010A42B2C00}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020914Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:16.492{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-3444-5FCE-0000-0010A42B2C00}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020915Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:16.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020916Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:16.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020917Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:16.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020918Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:16.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020919Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:16.492{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3444-5FCE-0000-0010A42B2C00}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020903Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:15.337{7E7FFDA1-3443-5FCE-0000-0010D6292C00}4492C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020904Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:15.336{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3443-5FCE-0000-0010D6292C00}4492C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020905Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:15.336{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-3443-5FCE-0000-0010D6292C00}4492C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020906Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:15.336{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020907Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:15.336{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020908Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:15.336{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020909Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:15.336{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020910Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:15.336{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3443-5FCE-0000-0010D6292C00}4492C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020911Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:15.477{7E7FFDA1-3443-5FCE-0000-0010D6292C00}44924592C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020886Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:14.165{7E7FFDA1-3442-5FCE-0000-001011262C00}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020887Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:14.164{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3442-5FCE-0000-001011262C00}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020888Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:14.164{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-3442-5FCE-0000-001011262C00}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020889Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:14.164{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020890Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:14.164{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020891Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:14.164{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020892Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:14.164{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020893Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:14.164{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3442-5FCE-0000-001011262C00}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020894Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:14.837{7E7FFDA1-3442-5FCE-0000-0010AE272C00}1772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020895Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:14.836{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3442-5FCE-0000-0010AE272C00}1772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020896Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:14.836{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-3442-5FCE-0000-0010AE272C00}1772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020897Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:14.836{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020898Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:14.836{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020899Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:14.836{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020900Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:14.836{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020901Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:14.836{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3442-5FCE-0000-0010AE272C00}1772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020902Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:14.977{7E7FFDA1-3442-5FCE-0000-0010AE272C00}17726488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020877Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:13.493{7E7FFDA1-3441-5FCE-0000-001053242C00}3684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020878Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:13.492{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3441-5FCE-0000-001053242C00}3684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020879Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:13.492{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-3441-5FCE-0000-001053242C00}3684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020880Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:13.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020881Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:13.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020882Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:13.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020883Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:13.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020884Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:13.492{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3441-5FCE-0000-001053242C00}3684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020885Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:13.633{7E7FFDA1-3441-5FCE-0000-001053242C00}36846872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020868Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:12.493{7E7FFDA1-3440-5FCE-0000-001085222C00}3952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020869Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:12.492{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3440-5FCE-0000-001085222C00}3952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020870Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:12.492{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-3440-5FCE-0000-001085222C00}3952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020871Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:12.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020872Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:12.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020873Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:12.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020874Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:12.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020875Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:12.492{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3440-5FCE-0000-001085222C00}3952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020876Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:12.633{7E7FFDA1-3440-5FCE-0000-001085222C00}39523648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020860Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:11.493{7E7FFDA1-343F-5FCE-0000-0010D8202C00}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020861Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:11.492{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-343F-5FCE-0000-0010D8202C00}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020862Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:11.492{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-343F-5FCE-0000-0010D8202C00}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020863Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:11.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020864Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:11.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020865Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:11.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020866Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:11.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020867Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:55:11.492{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-343F-5FCE-0000-0010D8202C00}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000020859Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:54:41.555{7E7FFDA1-18B1-5FCE-0000-001008C50000}1204C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d6cca0-0x82d09b3b) 154100x800000000000000020851Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:16.493{7E7FFDA1-3408-5FCE-0000-0010A7142C00}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020852Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:16.492{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3408-5FCE-0000-0010A7142C00}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020853Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:16.492{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-3408-5FCE-0000-0010A7142C00}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020854Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:16.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020855Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:16.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020856Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:16.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020857Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:16.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020858Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:16.492{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3408-5FCE-0000-0010A7142C00}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020842Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:15.321{7E7FFDA1-3407-5FCE-0000-001077122C00}4856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020843Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:15.320{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3407-5FCE-0000-001077122C00}4856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020844Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:15.320{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-3407-5FCE-0000-001077122C00}4856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020845Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:15.320{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020846Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:15.320{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020847Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:15.320{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020848Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:15.320{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020849Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:15.320{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3407-5FCE-0000-001077122C00}4856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020850Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:15.461{7E7FFDA1-3407-5FCE-0000-001077122C00}48566492C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020824Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:14.149{7E7FFDA1-3406-5FCE-0000-0010390F2C00}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020825Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:14.148{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3406-5FCE-0000-0010390F2C00}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020826Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:14.148{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-3406-5FCE-0000-0010390F2C00}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020827Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:14.148{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020828Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:14.148{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020829Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:14.148{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020830Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:14.148{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020831Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:14.148{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3406-5FCE-0000-0010390F2C00}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020832Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:14.289{7E7FFDA1-3406-5FCE-0000-0010390F2C00}20281476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020833Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:14.821{7E7FFDA1-3406-5FCE-0000-0010E7102C00}1828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020834Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:14.820{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3406-5FCE-0000-0010E7102C00}1828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020835Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:14.820{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-3406-5FCE-0000-0010E7102C00}1828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020836Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:14.820{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020837Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:14.820{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020838Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:14.820{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020839Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:14.820{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020840Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:14.820{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3406-5FCE-0000-0010E7102C00}1828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020841Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:14.961{7E7FFDA1-3406-5FCE-0000-0010E7102C00}18285876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020816Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:13.477{7E7FFDA1-3405-5FCE-0000-0010670D2C00}4276C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020817Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:13.476{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3405-5FCE-0000-0010670D2C00}4276C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020818Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:13.476{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-3405-5FCE-0000-0010670D2C00}4276C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020819Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:13.476{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020820Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:13.476{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020821Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:13.476{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020822Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:13.476{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020823Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:13.476{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3405-5FCE-0000-0010670D2C00}4276C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020807Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:12.493{7E7FFDA1-3404-5FCE-0000-0010A70B2C00}1052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020808Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:12.492{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3404-5FCE-0000-0010A70B2C00}1052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020809Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:12.492{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-3404-5FCE-0000-0010A70B2C00}1052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020810Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:12.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020811Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:12.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020812Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:12.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020813Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:12.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020814Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:12.492{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3404-5FCE-0000-0010A70B2C00}1052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020815Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:12.633{7E7FFDA1-3404-5FCE-0000-0010A70B2C00}10521840C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020799Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:11.493{7E7FFDA1-3403-5FCE-0000-0010EC092C00}1364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020800Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:11.492{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3403-5FCE-0000-0010EC092C00}1364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020801Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:11.492{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-3403-5FCE-0000-0010EC092C00}1364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020802Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:11.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020803Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:11.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020804Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:11.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020805Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:11.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020806Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:54:11.492{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3403-5FCE-0000-0010EC092C00}1364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020770Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:41.461{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020771Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:41.461{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020772Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:41.461{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020773Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:41.461{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020774Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:41.461{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020775Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:41.461{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020776Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:41.461{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020777Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:41.461{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020778Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:41.461{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020779Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:41.461{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020780Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:41.461{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020781Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:41.461{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020782Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:41.461{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020783Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:41.461{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020784Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:41.461{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020785Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:41.461{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020786Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:41.461{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020787Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:41.461{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020788Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:41.461{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020789Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:41.461{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020790Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:41.461{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020791Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:41.461{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020792Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:41.461{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020793Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:41.461{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020794Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:41.461{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020795Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:41.461{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020796Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:41.461{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020797Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:41.461{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020798Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:41.461{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000020767Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:53:18.055{7E7FFDA1-18C1-5FCE-0000-001019C00200}3100C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\A47110B2-D436-47F8-BEA1-61CCEBF6C04E\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_A47110B2-D436-47F8-BEA1-61CCEBF6C04E.XML 13241300x800000000000000020768Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:53:18.055{7E7FFDA1-18C1-5FCE-0000-001019C00200}3100C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\A47110B2-D436-47F8-BEA1-61CCEBF6C04E\Config SourceDWORD (0x00000001) 13241300x800000000000000020769Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:53:18.070{7E7FFDA1-18C1-5FCE-0000-001019C00200}3100C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\9D191D6C-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_9D191D6C-0000-0000-0000-100000000000.XML 154100x800000000000000020759Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:16.478{7E7FFDA1-33CC-5FCE-0000-00109EFB2B00}2584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020760Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:16.477{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-33CC-5FCE-0000-00109EFB2B00}2584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020761Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:16.477{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-33CC-5FCE-0000-00109EFB2B00}2584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020762Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:16.477{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020763Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:16.477{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020764Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:16.477{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020765Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:16.477{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020766Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:16.477{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-33CC-5FCE-0000-00109EFB2B00}2584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020750Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:15.337{7E7FFDA1-33CB-5FCE-0000-001054F92B00}6964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020751Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:15.336{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-33CB-5FCE-0000-001054F92B00}6964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020752Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:15.336{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-33CB-5FCE-0000-001054F92B00}6964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020753Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:15.336{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020754Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:15.336{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020755Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:15.336{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020756Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:15.336{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020757Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:15.336{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-33CB-5FCE-0000-001054F92B00}6964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020758Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:15.477{7E7FFDA1-33CB-5FCE-0000-001054F92B00}69646432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020732Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:14.149{7E7FFDA1-33CA-5FCE-0000-001007F62B00}6952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020733Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:14.148{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-33CA-5FCE-0000-001007F62B00}6952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020734Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:14.148{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-33CA-5FCE-0000-001007F62B00}6952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020735Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:14.148{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020736Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:14.148{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020737Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:14.148{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020738Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:14.148{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020739Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:14.148{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-33CA-5FCE-0000-001007F62B00}6952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020740Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:14.289{7E7FFDA1-33CA-5FCE-0000-001007F62B00}69526204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020741Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:14.821{7E7FFDA1-33CA-5FCE-0000-0010AFF72B00}5188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020742Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:14.820{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-33CA-5FCE-0000-0010AFF72B00}5188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020743Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:14.820{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-33CA-5FCE-0000-0010AFF72B00}5188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020744Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:14.820{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020745Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:14.820{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020746Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:14.820{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020747Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:14.820{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020748Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:14.820{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-33CA-5FCE-0000-0010AFF72B00}5188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020749Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:14.961{7E7FFDA1-33CA-5FCE-0000-0010AFF72B00}51886920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020724Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:13.478{7E7FFDA1-33C9-5FCE-0000-001055F42B00}6476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020725Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:13.477{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-33C9-5FCE-0000-001055F42B00}6476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020726Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:13.477{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-33C9-5FCE-0000-001055F42B00}6476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020727Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:13.477{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020728Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:13.477{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020729Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:13.477{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020730Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:13.477{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020731Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:13.477{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-33C9-5FCE-0000-001055F42B00}6476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020715Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:12.493{7E7FFDA1-33C8-5FCE-0000-001091F22B00}2704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020716Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:12.492{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-33C8-5FCE-0000-001091F22B00}2704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020717Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:12.492{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-33C8-5FCE-0000-001091F22B00}2704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020718Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:12.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020719Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:12.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020720Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:12.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020721Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:12.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020722Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:12.492{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-33C8-5FCE-0000-001091F22B00}2704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020723Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:12.633{7E7FFDA1-33C8-5FCE-0000-001091F22B00}27044932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020707Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:11.493{7E7FFDA1-33C7-5FCE-0000-0010D1F02B00}6388C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020708Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:11.492{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-33C7-5FCE-0000-0010D1F02B00}6388C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020709Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:11.492{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-33C7-5FCE-0000-0010D1F02B00}6388C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020710Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:11.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020711Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:11.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020712Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:11.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020713Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:11.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020714Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:53:11.492{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-33C7-5FCE-0000-0010D1F02B00}6388C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000020706Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:52:33.695{7E7FFDA1-18B1-5FCE-0000-001008C50000}1204C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d6cca0-0x369adaf8) 154100x800000000000000020698Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:16.587{7E7FFDA1-3390-5FCE-0000-0010B2D32B00}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020699Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:16.586{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3390-5FCE-0000-0010B2D32B00}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020700Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:16.586{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-3390-5FCE-0000-0010B2D32B00}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020701Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:16.586{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020702Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:16.586{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020703Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:16.586{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020704Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:16.586{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020705Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:16.586{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3390-5FCE-0000-0010B2D32B00}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020689Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:15.493{7E7FFDA1-338F-5FCE-0000-001089D12B00}1548C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020690Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:15.492{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-338F-5FCE-0000-001089D12B00}1548C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020691Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:15.492{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-338F-5FCE-0000-001089D12B00}1548C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020692Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:15.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020693Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:15.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020694Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:15.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020695Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:15.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020696Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:15.492{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-338F-5FCE-0000-001089D12B00}1548C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020697Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:15.633{7E7FFDA1-338F-5FCE-0000-001089D12B00}15485896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020671Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:14.150{7E7FFDA1-338E-5FCE-0000-00102DCE2B00}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020672Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:14.149{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-338E-5FCE-0000-00102DCE2B00}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020673Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:14.149{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-338E-5FCE-0000-00102DCE2B00}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020674Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:14.149{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020675Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:14.149{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020676Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:14.149{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020677Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:14.149{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020678Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:14.149{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-338E-5FCE-0000-00102DCE2B00}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020679Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:14.289{7E7FFDA1-338E-5FCE-0000-00102DCE2B00}60485636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020680Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:14.821{7E7FFDA1-338E-5FCE-0000-0010BBCF2B00}3560C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020681Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:14.820{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-338E-5FCE-0000-0010BBCF2B00}3560C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020682Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:14.820{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-338E-5FCE-0000-0010BBCF2B00}3560C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020683Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:14.820{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020684Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:14.820{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020685Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:14.820{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020686Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:14.820{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020687Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:14.820{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-338E-5FCE-0000-0010BBCF2B00}3560C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020688Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:14.961{7E7FFDA1-338E-5FCE-0000-0010BBCF2B00}35606044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020663Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:13.618{7E7FFDA1-338D-5FCE-0000-001061CC2B00}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020664Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:13.617{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-338D-5FCE-0000-001061CC2B00}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020665Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:13.617{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-338D-5FCE-0000-001061CC2B00}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020666Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:13.617{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020667Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:13.617{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020668Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:13.617{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020669Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:13.617{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020670Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:13.617{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-338D-5FCE-0000-001061CC2B00}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020654Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:12.493{7E7FFDA1-338C-5FCE-0000-00109ACA2B00}6792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020655Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:12.492{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-338C-5FCE-0000-00109ACA2B00}6792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020656Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:12.492{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-338C-5FCE-0000-00109ACA2B00}6792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020657Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:12.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020658Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:12.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020659Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:12.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020660Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:12.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020661Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:12.492{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-338C-5FCE-0000-00109ACA2B00}6792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020662Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:12.633{7E7FFDA1-338C-5FCE-0000-00109ACA2B00}67922656C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020646Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:11.493{7E7FFDA1-338B-5FCE-0000-0010DFC82B00}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020647Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:11.492{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-338B-5FCE-0000-0010DFC82B00}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020648Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:11.492{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-338B-5FCE-0000-0010DFC82B00}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020649Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:11.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020650Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:11.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020651Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:11.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020652Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:11.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020653Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:52:11.492{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-338B-5FCE-0000-0010DFC82B00}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020645Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:40.445{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}6126676C:\Windows\system32\svchost.exe{7E7FFDA1-18B1-5FCE-0000-001002BA0000}1152C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020637Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:16.587{7E7FFDA1-3354-5FCE-0000-0010D2BC2B00}6648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020638Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:16.586{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3354-5FCE-0000-0010D2BC2B00}6648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020639Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:16.586{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-3354-5FCE-0000-0010D2BC2B00}6648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020640Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:16.586{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020641Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:16.586{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020642Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:16.586{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020643Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:16.586{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020644Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:16.586{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3354-5FCE-0000-0010D2BC2B00}6648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020627Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:15.102{7E7FFDA1-3352-5FCE-0000-0010F8B82B00}27526872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020628Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:15.634{7E7FFDA1-3353-5FCE-0000-0010B9BA2B00}5680C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020629Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:15.633{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3353-5FCE-0000-0010B9BA2B00}5680C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020630Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:15.633{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-3353-5FCE-0000-0010B9BA2B00}5680C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020631Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:15.633{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020632Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:15.633{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020633Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:15.633{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020634Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:15.633{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020635Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:15.633{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3353-5FCE-0000-0010B9BA2B00}5680C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020636Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:15.774{7E7FFDA1-3353-5FCE-0000-0010B9BA2B00}56807024C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020610Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:14.290{7E7FFDA1-3352-5FCE-0000-001066B72B00}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020611Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:14.289{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3352-5FCE-0000-001066B72B00}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020612Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:14.289{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-3352-5FCE-0000-001066B72B00}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020613Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:14.289{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020614Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:14.289{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020615Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:14.289{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020616Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:14.289{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020617Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:14.289{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3352-5FCE-0000-001066B72B00}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020618Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:14.430{7E7FFDA1-3352-5FCE-0000-001066B72B00}53322668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020619Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:14.962{7E7FFDA1-3352-5FCE-0000-0010F8B82B00}2752C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020620Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:14.961{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3352-5FCE-0000-0010F8B82B00}2752C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020621Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:14.961{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-3352-5FCE-0000-0010F8B82B00}2752C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020622Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:14.961{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020623Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:14.961{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020624Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:14.961{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020625Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:14.961{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020626Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:14.961{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3352-5FCE-0000-0010F8B82B00}2752C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020602Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:13.618{7E7FFDA1-3351-5FCE-0000-001092B52B00}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020603Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:13.617{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3351-5FCE-0000-001092B52B00}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020604Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:13.617{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-3351-5FCE-0000-001092B52B00}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020605Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:13.617{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020606Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:13.617{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020607Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:13.617{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020608Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:13.617{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020609Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:13.617{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3351-5FCE-0000-001092B52B00}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020593Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:12.493{7E7FFDA1-3350-5FCE-0000-0010CCB32B00}5264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020594Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:12.492{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3350-5FCE-0000-0010CCB32B00}5264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020595Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:12.492{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-3350-5FCE-0000-0010CCB32B00}5264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020596Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:12.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020597Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:12.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020598Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:12.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020599Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:12.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020600Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:12.492{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3350-5FCE-0000-0010CCB32B00}5264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020601Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:12.633{7E7FFDA1-3350-5FCE-0000-0010CCB32B00}52644128C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020585Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:11.493{7E7FFDA1-334F-5FCE-0000-00101BB22B00}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020586Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:11.492{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-334F-5FCE-0000-00101BB22B00}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020587Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:11.492{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-334F-5FCE-0000-00101BB22B00}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020588Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:11.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020589Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:11.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020590Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:11.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020591Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:11.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020592Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:51:11.492{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-334F-5FCE-0000-00101BB22B00}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000020575Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:50:58.352{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d6cca8-0x5f55ba7a) 13241300x800000000000000020576Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:50:58.352{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d6cc9f-0xfd91527a) 13241300x800000000000000020577Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:50:58.352{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d6cc97-0x9bccea7a) 13241300x800000000000000020578Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:50:58.352{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0067e450) 13241300x800000000000000020579Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:50:58.352{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000020580Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:50:58.352{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d6cca8-0x5f55ba7a) 13241300x800000000000000020581Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:50:58.352{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d6cc9f-0xfd91527a) 13241300x800000000000000020582Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:50:58.352{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d6cc97-0x9bccea7a) 13241300x800000000000000020583Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:50:58.352{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0067e450) 13241300x800000000000000020584Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:50:58.352{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 10341000x800000000000000020574Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:39.555{7E7FFDA1-18AF-5FCE-0000-001027540000}856424C:\Windows\system32\lsass.exe{7E7FFDA1-18AE-5FCE-0000-0010EB030000}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31819|C:\Windows\system32\lsasrv.dll+2f177|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000020571Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:37.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18B1-5FCE-0000-0010CBF20000}1588C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020572Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:37.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18B1-5FCE-0000-0010CBF20000}1588C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020573Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:37.383{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18B1-5FCE-0000-0010CBF20000}1588C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020563Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:16.571{7E7FFDA1-3318-5FCE-0000-0010C2A02B00}2052C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020564Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:16.571{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3318-5FCE-0000-0010C2A02B00}2052C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020565Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:16.571{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-3318-5FCE-0000-0010C2A02B00}2052C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020566Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:16.571{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020567Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:16.571{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020568Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:16.571{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020569Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:16.571{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020570Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:16.571{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3318-5FCE-0000-0010C2A02B00}2052C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020553Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:15.102{7E7FFDA1-3316-5FCE-0000-0010E59C2B00}10522128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020554Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:15.634{7E7FFDA1-3317-5FCE-0000-00108C9E2B00}4276C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020555Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:15.633{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3317-5FCE-0000-00108C9E2B00}4276C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020556Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:15.633{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-3317-5FCE-0000-00108C9E2B00}4276C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020557Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:15.633{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020558Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:15.633{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020559Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:15.633{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020560Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:15.633{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020561Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:15.633{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3317-5FCE-0000-00108C9E2B00}4276C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020562Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:15.774{7E7FFDA1-3317-5FCE-0000-00108C9E2B00}42767160C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020537Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:14.290{7E7FFDA1-3316-5FCE-0000-0010339B2B00}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020538Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:14.289{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3316-5FCE-0000-0010339B2B00}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020539Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:14.289{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-3316-5FCE-0000-0010339B2B00}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020540Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:14.289{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020541Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:14.289{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020542Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:14.289{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020543Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:14.289{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020544Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:14.289{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3316-5FCE-0000-0010339B2B00}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020545Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:14.962{7E7FFDA1-3316-5FCE-0000-0010E59C2B00}1052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020546Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:14.961{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3316-5FCE-0000-0010E59C2B00}1052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020547Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:14.961{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-3316-5FCE-0000-0010E59C2B00}1052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020548Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:14.961{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020549Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:14.961{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020550Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:14.961{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020551Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:14.961{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020552Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:14.961{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3316-5FCE-0000-0010E59C2B00}1052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020528Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:13.618{7E7FFDA1-3315-5FCE-0000-001079992B00}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020529Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:13.617{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3315-5FCE-0000-001079992B00}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020530Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:13.617{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-3315-5FCE-0000-001079992B00}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020531Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:13.617{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020532Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:13.617{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020533Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:13.617{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020534Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:13.617{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020535Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:13.617{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3315-5FCE-0000-001079992B00}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020536Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:13.758{7E7FFDA1-3315-5FCE-0000-001079992B00}28965416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020519Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:12.493{7E7FFDA1-3314-5FCE-0000-00109E972B00}5452C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020520Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:12.492{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3314-5FCE-0000-00109E972B00}5452C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020521Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:12.492{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-3314-5FCE-0000-00109E972B00}5452C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020522Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:12.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020523Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:12.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020524Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:12.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020525Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:12.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020526Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:12.492{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3314-5FCE-0000-00109E972B00}5452C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020527Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:12.633{7E7FFDA1-3314-5FCE-0000-00109E972B00}54526444C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020511Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:11.493{7E7FFDA1-3313-5FCE-0000-0010EB952B00}1272C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020512Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:11.493{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3313-5FCE-0000-0010EB952B00}1272C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020513Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:11.493{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-3313-5FCE-0000-0010EB952B00}1272C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020514Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:11.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020515Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:11.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020516Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:11.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020517Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:11.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020518Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:50:11.493{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3313-5FCE-0000-0010EB952B00}1272C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020482Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:44.227{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020483Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:44.227{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020484Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:44.227{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020485Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:44.227{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020486Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:44.227{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020487Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:44.227{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020488Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:44.227{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020489Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:44.227{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020490Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:44.227{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020491Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:44.227{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020492Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:44.227{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020493Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:44.227{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020494Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:44.227{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020495Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:44.227{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020496Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:44.227{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020497Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:44.227{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020498Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:44.227{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020499Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:44.227{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020500Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:44.227{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020501Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:44.227{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020502Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:44.227{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020503Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:44.227{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020504Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:44.227{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020505Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:44.227{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020506Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:44.227{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020507Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:44.227{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020508Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:44.227{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020509Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:44.227{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020510Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:44.227{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020474Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:16.556{7E7FFDA1-32DC-5FCE-0000-001068892B00}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020475Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:16.555{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-32DC-5FCE-0000-001068892B00}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020476Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:16.555{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-32DC-5FCE-0000-001068892B00}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020477Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:16.555{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020478Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:16.555{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020479Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:16.555{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020480Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:16.555{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020481Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:16.555{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-32DC-5FCE-0000-001068892B00}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020464Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:15.024{7E7FFDA1-32DA-5FCE-0000-001087852B00}40406000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020465Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:15.494{7E7FFDA1-32DB-5FCE-0000-001039872B00}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020466Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:15.493{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-32DB-5FCE-0000-001039872B00}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020467Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:15.493{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-32DB-5FCE-0000-001039872B00}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020468Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:15.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020469Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:15.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020470Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:15.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020471Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:15.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020472Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:15.493{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-32DB-5FCE-0000-001039872B00}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020473Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:15.633{7E7FFDA1-32DB-5FCE-0000-001039872B00}52204280C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020447Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:14.290{7E7FFDA1-32DA-5FCE-0000-0010BE832B00}3884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020448Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:14.289{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-32DA-5FCE-0000-0010BE832B00}3884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020449Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:14.289{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-32DA-5FCE-0000-0010BE832B00}3884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020450Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:14.289{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020451Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:14.289{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020452Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:14.289{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020453Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:14.289{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020454Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:14.289{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-32DA-5FCE-0000-0010BE832B00}3884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020455Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:14.430{7E7FFDA1-32DA-5FCE-0000-0010BE832B00}38841316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020456Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:14.885{7E7FFDA1-32DA-5FCE-0000-001087852B00}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020457Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:14.883{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-32DA-5FCE-0000-001087852B00}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020458Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:14.883{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-32DA-5FCE-0000-001087852B00}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020459Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:14.883{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020460Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:14.883{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020461Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:14.883{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020462Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:14.883{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020463Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:14.883{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-32DA-5FCE-0000-001087852B00}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000020433Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:49:13.493{7E7FFDA1-18B1-5FCE-0000-001044CB0000}1260C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\NumNetworksDWORD (0x00000001) 13241300x800000000000000020434Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:49:13.493{7E7FFDA1-18B1-5FCE-0000-001044CB0000}1260C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\NetworksBinary Data 13241300x800000000000000020435Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:49:13.493{7E7FFDA1-18B1-5FCE-0000-001044CB0000}1260C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\TimestampQWORD (0x01d6cc9f-0xbf464ef4) 13241300x800000000000000020436Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:49:13.493{7E7FFDA1-18B1-5FCE-0000-001044CB0000}1260C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\KeySizeDWORD (0x00000000) 13241300x800000000000000020437Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:49:13.493{7E7FFDA1-18B1-5FCE-0000-001044CB0000}1260C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\ValueSizeDWORD (0x00000008) 13241300x800000000000000020438Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:49:13.493{7E7FFDA1-18B1-5FCE-0000-001044CB0000}1260C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\ValueBinary Data 154100x800000000000000020439Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:13.619{7E7FFDA1-32D9-5FCE-0000-0010FA812B00}2500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020440Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:13.618{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-32D9-5FCE-0000-0010FA812B00}2500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020441Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:13.618{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-32D9-5FCE-0000-0010FA812B00}2500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020442Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:13.618{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020443Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:13.618{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020444Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:13.618{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020445Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:13.618{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020446Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:13.618{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-32D9-5FCE-0000-0010FA812B00}2500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020424Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:12.493{7E7FFDA1-32D8-5FCE-0000-0010FF7F2B00}5424C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020425Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:12.493{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-32D8-5FCE-0000-0010FF7F2B00}5424C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020426Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:12.493{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-32D8-5FCE-0000-0010FF7F2B00}5424C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020427Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:12.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020428Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:12.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020429Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:12.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020430Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:12.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020431Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:12.493{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-32D8-5FCE-0000-0010FF7F2B00}5424C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020432Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:12.633{7E7FFDA1-32D8-5FCE-0000-0010FF7F2B00}54244188C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020416Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:11.493{7E7FFDA1-32D7-5FCE-0000-00104B7E2B00}4364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020417Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:11.493{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-32D7-5FCE-0000-00104B7E2B00}4364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020418Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:11.493{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-32D7-5FCE-0000-00104B7E2B00}4364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020419Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:11.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020420Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:11.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020421Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:11.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020422Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:11.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020423Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:49:11.493{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-32D7-5FCE-0000-00104B7E2B00}4364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000020413Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:48:17.618{7E7FFDA1-18C1-5FCE-0000-001019C00200}3100C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\A47110B2-D436-47F8-BEA1-61CCEBF6C04E\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_A47110B2-D436-47F8-BEA1-61CCEBF6C04E.XML 13241300x800000000000000020414Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:48:17.618{7E7FFDA1-18C1-5FCE-0000-001019C00200}3100C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\A47110B2-D436-47F8-BEA1-61CCEBF6C04E\Config SourceDWORD (0x00000001) 13241300x800000000000000020415Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:48:17.633{7E7FFDA1-18C1-5FCE-0000-001019C00200}3100C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\9D191D6C-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_9D191D6C-0000-0000-0000-100000000000.XML 154100x800000000000000020405Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:16.556{7E7FFDA1-32A0-5FCE-0000-00104D702B00}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020406Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:16.555{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-32A0-5FCE-0000-00104D702B00}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020407Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:16.555{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-32A0-5FCE-0000-00104D702B00}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020408Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:16.555{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020409Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:16.555{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020410Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:16.555{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020411Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:16.555{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020412Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:16.555{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-32A0-5FCE-0000-00104D702B00}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020395Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:15.086{7E7FFDA1-329E-5FCE-0000-0010696C2B00}52882656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020396Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:15.603{7E7FFDA1-329F-5FCE-0000-0010846E2B00}6816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020397Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:15.602{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-329F-5FCE-0000-0010846E2B00}6816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020398Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:15.602{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-329F-5FCE-0000-0010846E2B00}6816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020399Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:15.602{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020400Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:15.602{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020401Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:15.602{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020402Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:15.602{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020403Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:15.602{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-329F-5FCE-0000-0010846E2B00}6816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020404Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:15.743{7E7FFDA1-329F-5FCE-0000-0010846E2B00}68166708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020379Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:14.275{7E7FFDA1-329E-5FCE-0000-0010B36A2B00}4232C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020380Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:14.274{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-329E-5FCE-0000-0010B36A2B00}4232C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020381Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:14.274{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-329E-5FCE-0000-0010B36A2B00}4232C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020382Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:14.274{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020383Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:14.274{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020384Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:14.274{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020385Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:14.274{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020386Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:14.274{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-329E-5FCE-0000-0010B36A2B00}4232C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020387Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:14.947{7E7FFDA1-329E-5FCE-0000-0010696C2B00}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020388Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:14.946{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-329E-5FCE-0000-0010696C2B00}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020389Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:14.946{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-329E-5FCE-0000-0010696C2B00}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020390Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:14.946{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020391Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:14.946{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020392Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:14.946{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020393Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:14.946{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020394Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:14.946{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-329E-5FCE-0000-0010696C2B00}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020370Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:13.618{7E7FFDA1-329D-5FCE-0000-001007692B00}6616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020371Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:13.618{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-329D-5FCE-0000-001007692B00}6616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020372Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:13.618{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-329D-5FCE-0000-001007692B00}6616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020373Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:13.618{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020374Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:13.618{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020375Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:13.618{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020376Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:13.618{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020377Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:13.618{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-329D-5FCE-0000-001007692B00}6616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020378Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:13.758{7E7FFDA1-329D-5FCE-0000-001007692B00}66165324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020361Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:12.493{7E7FFDA1-329C-5FCE-0000-00102A672B00}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020362Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:12.493{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-329C-5FCE-0000-00102A672B00}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020363Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:12.493{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-329C-5FCE-0000-00102A672B00}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020364Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:12.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020365Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:12.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020366Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:12.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020367Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:12.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020368Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:12.493{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-329C-5FCE-0000-00102A672B00}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020369Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:12.633{7E7FFDA1-329C-5FCE-0000-00102A672B00}67204844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020353Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:11.493{7E7FFDA1-329B-5FCE-0000-00107C652B00}6532C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020354Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:11.493{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-329B-5FCE-0000-00107C652B00}6532C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020355Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:11.493{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-329B-5FCE-0000-00107C652B00}6532C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020356Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:11.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020357Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:11.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020358Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:11.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020359Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:11.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020360Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:48:11.493{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-329B-5FCE-0000-00107C652B00}6532C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020324Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:43.211{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020325Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:43.211{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020326Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:43.211{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020327Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:43.211{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020328Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:43.211{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020329Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:43.211{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020330Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:43.211{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020331Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:43.211{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020332Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:43.211{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020333Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:43.211{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020334Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:43.211{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020335Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:43.211{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020336Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:43.211{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020337Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:43.211{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020338Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:43.211{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020339Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:43.211{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020340Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:43.211{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020341Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:43.211{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020342Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:43.211{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020343Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:43.211{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020344Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:43.211{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020345Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:43.211{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020346Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:43.211{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020347Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:43.211{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020348Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:43.211{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020349Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:43.211{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020350Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:43.211{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020351Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:43.211{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020352Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:43.211{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020322Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:37.118{7E7FFDA1-18B1-5FCE-0000-001002BA0000}11526112C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-001019C00200}3100C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020323Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:37.118{7E7FFDA1-18B1-5FCE-0000-001002BA0000}11526112C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-001019C00200}3100C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020321Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:35.508{7E7FFDA1-18AF-5FCE-0000-001027540000}856896C:\Windows\system32\lsass.exe{7E7FFDA1-18AE-5FCE-0000-0010EB030000}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31819|C:\Windows\system32\lsasrv.dll+2f177|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 154100x800000000000000020313Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:16.665{7E7FFDA1-3264-5FCE-0000-00108B572B00}7072C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020314Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:16.665{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3264-5FCE-0000-00108B572B00}7072C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020315Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:16.665{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-3264-5FCE-0000-00108B572B00}7072C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020316Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:16.665{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020317Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:16.665{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020318Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:16.665{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020319Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:16.665{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020320Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:16.665{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3264-5FCE-0000-00108B572B00}7072C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020303Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:15.071{7E7FFDA1-3262-5FCE-0000-0010CF532B00}67766072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020304Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:15.587{7E7FFDA1-3263-5FCE-0000-0010C5552B00}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020305Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:15.587{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3263-5FCE-0000-0010C5552B00}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020306Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:15.587{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-3263-5FCE-0000-0010C5552B00}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020307Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:15.587{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020308Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:15.587{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020309Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:15.587{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020310Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:15.587{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020311Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:15.587{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3263-5FCE-0000-0010C5552B00}5648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020312Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:15.727{7E7FFDA1-3263-5FCE-0000-0010C5552B00}56485492C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020287Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:14.259{7E7FFDA1-3262-5FCE-0000-0010FB512B00}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020288Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:14.258{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3262-5FCE-0000-0010FB512B00}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020289Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:14.258{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-3262-5FCE-0000-0010FB512B00}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020290Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:14.258{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020291Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:14.258{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020292Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:14.258{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020293Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:14.258{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020294Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:14.258{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3262-5FCE-0000-0010FB512B00}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020295Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:14.931{7E7FFDA1-3262-5FCE-0000-0010CF532B00}6776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020296Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:14.930{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3262-5FCE-0000-0010CF532B00}6776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020297Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:14.930{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-3262-5FCE-0000-0010CF532B00}6776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020298Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:14.930{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020299Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:14.930{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020300Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:14.930{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020301Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:14.930{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020302Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:14.930{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3262-5FCE-0000-0010CF532B00}6776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020278Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:13.603{7E7FFDA1-3261-5FCE-0000-00103E502B00}5136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020279Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:13.602{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3261-5FCE-0000-00103E502B00}5136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020280Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:13.602{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-3261-5FCE-0000-00103E502B00}5136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020281Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:13.602{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020282Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:13.602{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020283Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:13.602{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020284Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:13.602{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020285Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:13.602{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3261-5FCE-0000-00103E502B00}5136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020286Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:13.743{7E7FFDA1-3261-5FCE-0000-00103E502B00}51362492C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020269Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:12.494{7E7FFDA1-3260-5FCE-0000-0010764E2B00}6052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020270Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:12.493{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3260-5FCE-0000-0010764E2B00}6052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020271Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:12.493{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-3260-5FCE-0000-0010764E2B00}6052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020272Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:12.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020273Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:12.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020274Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:12.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020275Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:12.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020276Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:12.493{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3260-5FCE-0000-0010764E2B00}6052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020277Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:12.633{7E7FFDA1-3260-5FCE-0000-0010764E2B00}60522192C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020261Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:11.494{7E7FFDA1-325F-5FCE-0000-0010C54C2B00}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020262Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:11.493{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-325F-5FCE-0000-0010C54C2B00}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020263Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:11.493{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-325F-5FCE-0000-0010C54C2B00}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020264Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:11.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020265Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:11.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020266Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:11.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020267Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:11.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020268Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:47:11.493{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-325F-5FCE-0000-0010C54C2B00}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020253Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:16.665{7E7FFDA1-3228-5FCE-0000-0010EE402B00}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020254Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:16.665{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3228-5FCE-0000-0010EE402B00}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020255Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:16.665{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-3228-5FCE-0000-0010EE402B00}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020256Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:16.665{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020257Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:16.665{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020258Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:16.665{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020259Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:16.665{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020260Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:16.665{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3228-5FCE-0000-0010EE402B00}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020243Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:15.071{7E7FFDA1-3226-5FCE-0000-0010133D2B00}9361424C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020244Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:15.587{7E7FFDA1-3227-5FCE-0000-0010253F2B00}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020245Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:15.586{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3227-5FCE-0000-0010253F2B00}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020246Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:15.586{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-3227-5FCE-0000-0010253F2B00}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020247Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:15.586{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020248Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:15.586{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020249Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:15.586{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020250Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:15.586{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020251Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:15.586{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3227-5FCE-0000-0010253F2B00}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020252Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:15.727{7E7FFDA1-3227-5FCE-0000-0010253F2B00}42125452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020227Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:14.259{7E7FFDA1-3226-5FCE-0000-0010453B2B00}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020228Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:14.258{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3226-5FCE-0000-0010453B2B00}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020229Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:14.258{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-3226-5FCE-0000-0010453B2B00}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020230Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:14.258{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020231Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:14.258{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020232Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:14.258{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020233Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:14.258{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020234Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:14.258{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3226-5FCE-0000-0010453B2B00}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020235Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:14.931{7E7FFDA1-3226-5FCE-0000-0010133D2B00}936C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020236Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:14.930{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3226-5FCE-0000-0010133D2B00}936C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020237Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:14.930{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-3226-5FCE-0000-0010133D2B00}936C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020238Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:14.930{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020239Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:14.930{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020240Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:14.930{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020241Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:14.930{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020242Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:14.930{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3226-5FCE-0000-0010133D2B00}936C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020218Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:13.587{7E7FFDA1-3225-5FCE-0000-0010A0392B00}5536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020219Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:13.586{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3225-5FCE-0000-0010A0392B00}5536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020220Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:13.586{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-3225-5FCE-0000-0010A0392B00}5536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020221Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:13.586{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020222Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:13.586{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020223Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:13.586{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020224Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:13.586{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020225Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:13.586{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3225-5FCE-0000-0010A0392B00}5536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020226Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:13.727{7E7FFDA1-3225-5FCE-0000-0010A0392B00}55364680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020209Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:12.494{7E7FFDA1-3224-5FCE-0000-0010B4372B00}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020210Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:12.493{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3224-5FCE-0000-0010B4372B00}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020211Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:12.493{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-3224-5FCE-0000-0010B4372B00}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020212Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:12.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020213Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:12.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020214Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:12.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020215Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:12.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020216Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:12.493{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3224-5FCE-0000-0010B4372B00}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020217Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:12.633{7E7FFDA1-3224-5FCE-0000-0010B4372B00}59525428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020201Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:11.494{7E7FFDA1-3223-5FCE-0000-001008362B00}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020202Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:11.493{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3223-5FCE-0000-001008362B00}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020203Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:11.493{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-3223-5FCE-0000-001008362B00}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020204Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:11.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020205Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:11.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020206Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:11.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020207Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:11.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020208Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:46:11.493{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3223-5FCE-0000-001008362B00}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000020191Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:45:58.336{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d6cca7-0xac82eb7a) 13241300x800000000000000020192Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:45:58.336{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d6cc9f-0x4abe837a) 13241300x800000000000000020193Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:45:58.336{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d6cc96-0xe8fa1b7a) 13241300x800000000000000020194Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:45:58.336{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00635060) 13241300x800000000000000020195Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:45:58.336{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000020196Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:45:58.336{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d6cca7-0xac82eb7a) 13241300x800000000000000020197Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:45:58.336{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d6cc9f-0x4abe837a) 13241300x800000000000000020198Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:45:58.336{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d6cc96-0xe8fa1b7a) 13241300x800000000000000020199Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:45:58.336{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00635060) 13241300x800000000000000020200Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:45:58.336{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 10341000x800000000000000020162Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:42.196{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020163Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:42.196{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020164Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:42.196{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020165Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:42.196{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020166Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:42.196{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020167Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:42.196{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020168Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:42.196{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020169Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:42.196{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020170Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:42.196{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020171Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:42.196{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020172Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:42.196{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020173Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:42.196{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020174Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:42.196{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020175Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:42.196{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020176Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:42.196{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020177Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:42.196{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020178Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:42.196{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020179Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:42.196{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020180Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:42.196{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020181Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:42.196{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020182Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:42.196{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020183Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:42.196{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020184Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:42.196{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020185Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:42.196{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020186Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:42.196{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020187Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:42.196{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020188Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:42.196{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020189Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:42.196{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020190Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:42.196{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020161Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:39.414{7E7FFDA1-18AF-5FCE-0000-001027540000}856424C:\Windows\system32\lsass.exe{7E7FFDA1-18AE-5FCE-0000-0010EB030000}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31819|C:\Windows\system32\lsasrv.dll+2f177|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000020158Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:37.368{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18B1-5FCE-0000-0010CBF20000}1588C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020159Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:37.368{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18B1-5FCE-0000-0010CBF20000}1588C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020160Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:37.368{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18B1-5FCE-0000-0010CBF20000}1588C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020150Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:16.665{7E7FFDA1-31EC-5FCE-0000-0010F9232B00}2844C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020151Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:16.664{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-31EC-5FCE-0000-0010F9232B00}2844C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020152Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:16.664{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-31EC-5FCE-0000-0010F9232B00}2844C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020153Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:16.664{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020154Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:16.664{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020155Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:16.664{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020156Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:16.664{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020157Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:16.664{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-31EC-5FCE-0000-0010F9232B00}2844C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020140Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:15.071{7E7FFDA1-31EA-5FCE-0000-001014202B00}59963632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020141Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:15.587{7E7FFDA1-31EB-5FCE-0000-00104B222B00}6852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020142Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:15.586{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-31EB-5FCE-0000-00104B222B00}6852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020143Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:15.586{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-31EB-5FCE-0000-00104B222B00}6852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020144Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:15.586{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020145Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:15.586{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020146Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:15.586{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020147Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:15.586{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020148Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:15.586{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-31EB-5FCE-0000-00104B222B00}6852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020149Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:15.727{7E7FFDA1-31EB-5FCE-0000-00104B222B00}68522784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020123Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:14.259{7E7FFDA1-31EA-5FCE-0000-0010861E2B00}1556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020124Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:14.258{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-31EA-5FCE-0000-0010861E2B00}1556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020125Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:14.258{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-31EA-5FCE-0000-0010861E2B00}1556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020126Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:14.258{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020127Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:14.258{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020128Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:14.258{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020129Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:14.258{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020130Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:14.258{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-31EA-5FCE-0000-0010861E2B00}1556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020131Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:14.399{7E7FFDA1-31EA-5FCE-0000-0010861E2B00}15565812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020132Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:14.931{7E7FFDA1-31EA-5FCE-0000-001014202B00}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020133Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:14.930{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-31EA-5FCE-0000-001014202B00}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020134Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:14.930{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-31EA-5FCE-0000-001014202B00}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020135Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:14.930{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020136Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:14.930{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020137Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:14.930{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020138Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:14.930{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020139Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:14.930{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-31EA-5FCE-0000-001014202B00}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020115Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:13.587{7E7FFDA1-31E9-5FCE-0000-0010B41C2B00}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020116Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:13.586{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-31E9-5FCE-0000-0010B41C2B00}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020117Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:13.586{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-31E9-5FCE-0000-0010B41C2B00}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020118Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:13.586{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020119Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:13.586{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020120Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:13.586{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020121Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:13.586{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020122Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:13.586{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-31E9-5FCE-0000-0010B41C2B00}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020106Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:12.493{7E7FFDA1-31E8-5FCE-0000-0010ED1A2B00}2840C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020107Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:12.492{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-31E8-5FCE-0000-0010ED1A2B00}2840C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020108Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:12.492{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-31E8-5FCE-0000-0010ED1A2B00}2840C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020109Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:12.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020110Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:12.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020111Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:12.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020112Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:12.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020113Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:12.492{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-31E8-5FCE-0000-0010ED1A2B00}2840C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020114Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:12.633{7E7FFDA1-31E8-5FCE-0000-0010ED1A2B00}28401624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020098Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:11.493{7E7FFDA1-31E7-5FCE-0000-00103C192B00}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020099Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:11.492{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-31E7-5FCE-0000-00103C192B00}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020100Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:11.492{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-31E7-5FCE-0000-00103C192B00}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020101Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:11.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020102Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:11.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020103Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:11.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020104Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:11.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020105Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:45:11.492{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-31E7-5FCE-0000-00103C192B00}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020090Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:16.665{7E7FFDA1-31B0-5FCE-0000-0010550D2B00}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020091Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:16.664{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-31B0-5FCE-0000-0010550D2B00}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020092Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:16.664{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-31B0-5FCE-0000-0010550D2B00}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020093Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:16.664{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020094Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:16.664{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020095Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:16.664{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020096Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:16.664{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020097Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:16.664{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-31B0-5FCE-0000-0010550D2B00}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020080Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:15.055{7E7FFDA1-31AE-5FCE-0000-00106A092B00}61846668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020081Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:15.587{7E7FFDA1-31AF-5FCE-0000-0010920B2B00}1924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020082Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:15.586{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-31AF-5FCE-0000-0010920B2B00}1924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020083Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:15.586{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-31AF-5FCE-0000-0010920B2B00}1924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020084Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:15.586{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020085Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:15.586{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020086Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:15.586{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020087Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:15.586{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020088Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:15.586{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-31AF-5FCE-0000-0010920B2B00}1924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020089Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:15.727{7E7FFDA1-31AF-5FCE-0000-0010920B2B00}19246848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020063Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:14.243{7E7FFDA1-31AE-5FCE-0000-0010DA072B00}6948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020064Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:14.242{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-31AE-5FCE-0000-0010DA072B00}6948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020065Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:14.242{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-31AE-5FCE-0000-0010DA072B00}6948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020066Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:14.242{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020067Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:14.242{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020068Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:14.242{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020069Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:14.242{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020070Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:14.242{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-31AE-5FCE-0000-0010DA072B00}6948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020071Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:14.383{7E7FFDA1-31AE-5FCE-0000-0010DA072B00}69483900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020072Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:14.915{7E7FFDA1-31AE-5FCE-0000-00106A092B00}6184C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020073Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:14.914{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-31AE-5FCE-0000-00106A092B00}6184C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020074Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:14.914{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-31AE-5FCE-0000-00106A092B00}6184C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020075Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:14.914{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020076Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:14.914{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020077Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:14.914{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020078Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:14.914{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020079Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:14.914{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-31AE-5FCE-0000-00106A092B00}6184C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020055Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:13.587{7E7FFDA1-31AD-5FCE-0000-001004062B00}6040C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020056Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:13.586{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-31AD-5FCE-0000-001004062B00}6040C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020057Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:13.586{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-31AD-5FCE-0000-001004062B00}6040C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020058Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:13.586{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020059Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:13.586{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020060Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:13.586{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020061Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:13.586{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020062Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:13.586{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-31AD-5FCE-0000-001004062B00}6040C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020046Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:12.493{7E7FFDA1-31AC-5FCE-0000-00103E042B00}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020047Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:12.492{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-31AC-5FCE-0000-00103E042B00}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020048Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:12.492{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-31AC-5FCE-0000-00103E042B00}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020049Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:12.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020050Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:12.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020051Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:12.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020052Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:12.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020053Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:12.492{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-31AC-5FCE-0000-00103E042B00}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020054Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:12.633{7E7FFDA1-31AC-5FCE-0000-00103E042B00}68206676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020038Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:11.493{7E7FFDA1-31AB-5FCE-0000-001093022B00}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000020039Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:11.492{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-31AB-5FCE-0000-001093022B00}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020040Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:11.492{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-31AB-5FCE-0000-001093022B00}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020041Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:11.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020042Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:11.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020043Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:11.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020044Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:11.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020045Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:44:11.492{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-31AB-5FCE-0000-001093022B00}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000020037Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localRDP2020-12-07 13:44:00.553{7E7FFDA1-18B1-5FCE-0000-0010BBB90000}1144C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse216.218.206.66scan-05.shadowserver.org35360false10.0.1.14win-dc-633.attackrange.local3389ms-wbt-server 354300x800000000000000020036Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localRDP2020-12-07 13:43:46.263{7E7FFDA1-18B1-5FCE-0000-0010BBB90000}1144C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse216.218.206.66scan-05.shadowserver.org59866false10.0.1.14win-dc-633.attackrange.local3389ms-wbt-server 10341000x800000000000000020007Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:41.179{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020008Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:41.179{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020009Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:41.179{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020010Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:41.179{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020011Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:41.179{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020012Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:41.179{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020013Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:41.179{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020014Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:41.179{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-0010F6730B00}5664C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020015Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:41.179{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020016Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:41.179{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020017Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:41.179{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020018Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:41.179{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020019Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:41.179{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020020Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:41.179{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020021Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:41.179{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1976-5FCE-0000-001032810B00}5772C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020022Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:41.179{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020023Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:41.179{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020024Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:41.179{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020025Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:41.179{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020026Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:41.179{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020027Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:41.179{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020028Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:41.179{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020029Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:41.179{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020030Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:41.179{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020031Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:41.179{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020032Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:41.179{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020033Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:41.179{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020034Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:41.179{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020035Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:41.179{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}612428C:\Windows\system32\svchost.exe{7E7FFDA1-1964-5FCE-0000-00109A7A0800}2472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000020006Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:43:20.023{7E7FFDA1-18B1-5FCE-0000-001008C50000}1204C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d6cc9e-0xec972ab9) 13241300x800000000000000020003Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:43:17.039{7E7FFDA1-18C1-5FCE-0000-001019C00200}3100C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\A47110B2-D436-47F8-BEA1-61CCEBF6C04E\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_A47110B2-D436-47F8-BEA1-61CCEBF6C04E.XML 13241300x800000000000000020004Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:43:17.039{7E7FFDA1-18C1-5FCE-0000-001019C00200}3100C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\A47110B2-D436-47F8-BEA1-61CCEBF6C04E\Config SourceDWORD (0x00000001) 13241300x800000000000000020005Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:43:17.054{7E7FFDA1-18C1-5FCE-0000-001019C00200}3100C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\9D191D6C-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_9D191D6C-0000-0000-0000-100000000000.XML 154100x800000000000000019995Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:16.665{7E7FFDA1-3174-5FCE-0000-0010D8F12A00}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019996Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:16.664{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3174-5FCE-0000-0010D8F12A00}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019997Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:16.664{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-3174-5FCE-0000-0010D8F12A00}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019998Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:16.664{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019999Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:16.664{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020000Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:16.664{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020001Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:16.664{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020002Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:16.664{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3174-5FCE-0000-0010D8F12A00}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019985Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:15.054{7E7FFDA1-3172-5FCE-0000-001017EE2A00}59006540C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019986Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:15.586{7E7FFDA1-3173-5FCE-0000-001015F02A00}6052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019987Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:15.586{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3173-5FCE-0000-001015F02A00}6052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019988Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:15.586{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-3173-5FCE-0000-001015F02A00}6052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019989Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:15.586{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019990Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:15.586{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019991Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:15.586{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019992Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:15.586{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019993Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:15.586{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3173-5FCE-0000-001015F02A00}6052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019994Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:15.726{7E7FFDA1-3173-5FCE-0000-001015F02A00}60524264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019968Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:14.243{7E7FFDA1-3172-5FCE-0000-001058EC2A00}4256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019969Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:14.242{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3172-5FCE-0000-001058EC2A00}4256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019970Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:14.242{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-3172-5FCE-0000-001058EC2A00}4256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019971Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:14.242{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019972Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:14.242{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019973Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:14.242{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019974Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:14.242{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019975Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:14.242{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3172-5FCE-0000-001058EC2A00}4256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019976Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:14.383{7E7FFDA1-3172-5FCE-0000-001058EC2A00}42566256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019977Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:14.915{7E7FFDA1-3172-5FCE-0000-001017EE2A00}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019978Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:14.914{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3172-5FCE-0000-001017EE2A00}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019979Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:14.914{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-3172-5FCE-0000-001017EE2A00}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019980Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:14.914{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019981Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:14.914{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019982Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:14.914{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019983Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:14.914{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019984Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:14.914{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3172-5FCE-0000-001017EE2A00}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019960Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:13.571{7E7FFDA1-3171-5FCE-0000-00109FEA2A00}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019961Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:13.570{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3171-5FCE-0000-00109FEA2A00}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019962Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:13.570{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-3171-5FCE-0000-00109FEA2A00}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019963Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:13.570{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019964Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:13.570{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019965Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:13.570{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019966Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:13.570{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019967Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:13.570{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3171-5FCE-0000-00109FEA2A00}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019951Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:12.493{7E7FFDA1-3170-5FCE-0000-0010CDE82A00}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019952Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:12.492{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3170-5FCE-0000-0010CDE82A00}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019953Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:12.492{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-3170-5FCE-0000-0010CDE82A00}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019954Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:12.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019955Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:12.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019956Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:12.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019957Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:12.492{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019958Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:12.492{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3170-5FCE-0000-0010CDE82A00}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019959Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:12.633{7E7FFDA1-3170-5FCE-0000-0010CDE82A00}47804000C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019943Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:11.633{7E7FFDA1-316F-5FCE-0000-00101AE72A00}5796C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019944Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:11.633{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-316F-5FCE-0000-00101AE72A00}5796C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019945Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:11.633{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-316F-5FCE-0000-00101AE72A00}5796C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019946Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:11.633{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019947Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:11.633{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019948Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:11.633{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019949Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:11.633{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019950Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:43:11.633{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-316F-5FCE-0000-00101AE72A00}5796C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019935Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:16.665{7E7FFDA1-3138-5FCE-0000-001059CA2A00}5536C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019936Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:16.665{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3138-5FCE-0000-001059CA2A00}5536C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019937Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:16.665{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-3138-5FCE-0000-001059CA2A00}5536C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019938Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:16.665{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019939Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:16.665{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019940Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:16.665{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019941Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:16.665{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019942Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:16.665{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3138-5FCE-0000-001059CA2A00}5536C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019926Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:15.431{7E7FFDA1-3137-5FCE-0000-00109BC82A00}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019927Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:15.430{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3137-5FCE-0000-00109BC82A00}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019928Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:15.430{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-3137-5FCE-0000-00109BC82A00}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019929Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:15.430{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019930Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:15.430{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019931Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:15.430{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019932Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:15.430{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019933Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:15.430{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3137-5FCE-0000-00109BC82A00}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019934Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:15.571{7E7FFDA1-3137-5FCE-0000-00109BC82A00}59526168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019909Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:14.259{7E7FFDA1-3136-5FCE-0000-0010AFC42A00}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019910Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:14.258{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3136-5FCE-0000-0010AFC42A00}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019911Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:14.258{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-3136-5FCE-0000-0010AFC42A00}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019912Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:14.258{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019913Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:14.258{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019914Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:14.258{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019915Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:14.258{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019916Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:14.258{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3136-5FCE-0000-0010AFC42A00}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019917Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:14.760{7E7FFDA1-3136-5FCE-0000-00107BC62A00}5380C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019918Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:14.758{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3136-5FCE-0000-00107BC62A00}5380C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019919Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:14.758{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-3136-5FCE-0000-00107BC62A00}5380C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019920Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:14.758{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019921Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:14.758{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019922Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:14.758{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019923Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:14.758{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019924Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:14.758{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3136-5FCE-0000-00107BC62A00}5380C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019925Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:14.899{7E7FFDA1-3136-5FCE-0000-00107BC62A00}53805700C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019900Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:13.588{7E7FFDA1-3135-5FCE-0000-001023C32A00}4608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019901Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:13.587{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3135-5FCE-0000-001023C32A00}4608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019902Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:13.587{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-3135-5FCE-0000-001023C32A00}4608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019903Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:13.587{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019904Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:13.587{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019905Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:13.587{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019906Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:13.587{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019907Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:13.587{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3135-5FCE-0000-001023C32A00}4608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019908Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:13.727{7E7FFDA1-3135-5FCE-0000-001023C32A00}46085276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019891Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:12.494{7E7FFDA1-3134-5FCE-0000-00105BC12A00}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019892Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:12.493{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3134-5FCE-0000-00105BC12A00}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019893Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:12.493{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-3134-5FCE-0000-00105BC12A00}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019894Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:12.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019895Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:12.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019896Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:12.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019897Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:12.493{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019898Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:12.493{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3134-5FCE-0000-00105BC12A00}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019899Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:12.633{7E7FFDA1-3134-5FCE-0000-00105BC12A00}41486380C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019883Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:11.619{7E7FFDA1-3133-5FCE-0000-0010A1BF2A00}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019884Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:11.618{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-3133-5FCE-0000-0010A1BF2A00}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019885Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:11.618{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-3133-5FCE-0000-0010A1BF2A00}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019886Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:11.618{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019887Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:11.618{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019888Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:11.618{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019889Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:11.618{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019890Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:42:11.618{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-3133-5FCE-0000-0010A1BF2A00}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019882Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:40.165{7E7FFDA1-18B1-5FCE-0000-0010FEA90000}6121316C:\Windows\system32\svchost.exe{7E7FFDA1-18B1-5FCE-0000-001002BA0000}1152C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019874Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:16.651{7E7FFDA1-30FC-5FCE-0000-0010ABB32A00}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019875Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:16.650{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-30FC-5FCE-0000-0010ABB32A00}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019876Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:16.650{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-30FC-5FCE-0000-0010ABB32A00}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019877Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:16.650{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019878Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:16.650{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019879Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:16.650{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019880Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:16.650{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019881Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:16.650{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-30FC-5FCE-0000-0010ABB32A00}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019856Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:15.041{7E7FFDA1-30FB-5FCE-0000-0010F1AF2A00}6908C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019857Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:15.041{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-30FB-5FCE-0000-0010F1AF2A00}6908C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019858Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:15.041{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-30FB-5FCE-0000-0010F1AF2A00}6908C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019859Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:15.041{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019860Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:15.041{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019861Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:15.041{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019862Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:15.041{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019863Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:15.041{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-30FB-5FCE-0000-0010F1AF2A00}6908C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019864Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:15.181{7E7FFDA1-30FB-5FCE-0000-0010F1AF2A00}69083980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019865Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:15.713{7E7FFDA1-30FB-5FCE-0000-0010EBB12A00}1556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019866Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:15.712{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-30FB-5FCE-0000-0010EBB12A00}1556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019867Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:15.712{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-30FB-5FCE-0000-0010EBB12A00}1556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019868Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:15.712{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019869Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:15.712{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019870Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:15.712{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019871Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:15.712{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019872Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:15.712{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-30FB-5FCE-0000-0010EBB12A00}1556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019873Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:15.853{7E7FFDA1-30FB-5FCE-0000-0010EBB12A00}15566560C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019847Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:14.369{7E7FFDA1-30FA-5FCE-0000-001031AE2A00}6996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019848Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:14.369{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-30FA-5FCE-0000-001031AE2A00}6996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019849Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:14.369{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-30FA-5FCE-0000-001031AE2A00}6996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019850Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:14.369{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019851Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:14.369{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019852Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:14.369{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019853Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:14.369{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019854Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:14.369{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-30FA-5FCE-0000-001031AE2A00}6996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019855Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:14.509{7E7FFDA1-30FA-5FCE-0000-001031AE2A00}69965216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019839Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:13.744{7E7FFDA1-30F9-5FCE-0000-00106AAC2A00}2780C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019840Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:13.744{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-30F9-5FCE-0000-00106AAC2A00}2780C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019841Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:13.744{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640656C:\Windows\system32\csrss.exe{7E7FFDA1-30F9-5FCE-0000-00106AAC2A00}2780C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019842Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:13.744{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019843Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:13.744{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019844Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:13.744{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019845Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:13.744{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019846Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:13.744{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-30F9-5FCE-0000-00106AAC2A00}2780C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019830Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:12.479{7E7FFDA1-30F8-5FCE-0000-00109EAA2A00}6556C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019831Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:12.478{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-30F8-5FCE-0000-00109EAA2A00}6556C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019832Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:12.478{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-30F8-5FCE-0000-00109EAA2A00}6556C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019833Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:12.478{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019834Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:12.478{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019835Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:12.478{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019836Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:12.478{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019837Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:12.478{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-30F8-5FCE-0000-00109EAA2A00}6556C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019838Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:12.619{7E7FFDA1-30F8-5FCE-0000-00109EAA2A00}65566232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019822Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:11.620{7E7FFDA1-30F7-5FCE-0000-0010F0A82A00}2180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019823Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:11.619{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-30F7-5FCE-0000-0010F0A82A00}2180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019824Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:11.619{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-30F7-5FCE-0000-0010F0A82A00}2180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019825Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:11.619{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019826Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:11.619{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019827Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:11.619{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019828Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:11.619{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019829Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:41:11.619{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-30F7-5FCE-0000-0010F0A82A00}2180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000019812Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:40:58.322{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d6cca6-0xf9b0438a) 13241300x800000000000000019813Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:40:58.322{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d6cc9e-0x97ebdb8a) 13241300x800000000000000019814Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:40:58.322{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d6cc96-0x3627738a) 13241300x800000000000000019815Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:40:58.322{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x005ebc71) 13241300x800000000000000019816Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:40:58.322{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000019817Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:40:58.322{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d6cca6-0xf9b0438a) 13241300x800000000000000019818Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:40:58.322{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d6cc9e-0x97ebdb8a) 13241300x800000000000000019819Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:40:58.322{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d6cc96-0x3627738a) 13241300x800000000000000019820Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:40:58.322{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x005ebc71) 13241300x800000000000000019821Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.localSetValue2020-12-07 13:40:58.322{7E7FFDA1-18AF-5FCE-0000-001027540000}856C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 10341000x800000000000000019811Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:39.291{7E7FFDA1-18AF-5FCE-0000-001027540000}8562468C:\Windows\system32\lsass.exe{7E7FFDA1-18AE-5FCE-0000-0010EB030000}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31819|C:\Windows\system32\lsasrv.dll+2f177|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000019808Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:37.354{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18B1-5FCE-0000-0010CBF20000}1588C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019809Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:37.354{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18B1-5FCE-0000-0010CBF20000}1588C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019810Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:37.354{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18B1-5FCE-0000-0010CBF20000}1588C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019800Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:16.636{7E7FFDA1-30C0-5FCE-0000-0010DB962A00}6948C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019801Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:16.635{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-30C0-5FCE-0000-0010DB962A00}6948C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019802Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:16.635{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-30C0-5FCE-0000-0010DB962A00}6948C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019803Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:16.635{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019804Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:16.635{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019805Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:16.635{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019806Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:16.635{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019807Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:16.635{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-30C0-5FCE-0000-0010DB962A00}6948C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019782Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:15.042{7E7FFDA1-30BF-5FCE-0000-001023932A00}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019783Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:15.041{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-30BF-5FCE-0000-001023932A00}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019784Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:15.041{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-30BF-5FCE-0000-001023932A00}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019785Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:15.041{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019786Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:15.041{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019787Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:15.041{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019788Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:15.041{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019789Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:15.041{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-30BF-5FCE-0000-001023932A00}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019790Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:15.182{7E7FFDA1-30BF-5FCE-0000-001023932A00}68206828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019791Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:15.714{7E7FFDA1-30BF-5FCE-0000-0010AF942A00}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019792Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:15.713{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-30BF-5FCE-0000-0010AF942A00}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019793Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:15.713{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-30BF-5FCE-0000-0010AF942A00}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019794Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:15.713{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019795Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:15.713{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019796Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:15.713{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019797Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:15.713{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019798Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:15.713{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-30BF-5FCE-0000-0010AF942A00}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019799Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:15.854{7E7FFDA1-30BF-5FCE-0000-0010AF942A00}61085484C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019774Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:14.370{7E7FFDA1-30BE-5FCE-0000-001041912A00}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019775Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:14.370{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-30BE-5FCE-0000-001041912A00}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019776Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:14.370{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6401160C:\Windows\system32\csrss.exe{7E7FFDA1-30BE-5FCE-0000-001041912A00}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019777Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:14.370{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019778Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:14.370{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019779Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:14.370{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019780Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:14.370{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019781Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:14.370{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-30BE-5FCE-0000-001041912A00}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019765Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:13.745{7E7FFDA1-30BD-5FCE-0000-0010978F2A00}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019766Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:13.745{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-30BD-5FCE-0000-0010978F2A00}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019767Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:13.745{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-30BD-5FCE-0000-0010978F2A00}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019768Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:13.745{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019769Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:13.745{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019770Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:13.745{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019771Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:13.745{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019772Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:13.745{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-30BD-5FCE-0000-0010978F2A00}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019773Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:13.885{7E7FFDA1-30BD-5FCE-0000-0010978F2A00}26325628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019756Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:12.464{7E7FFDA1-30BC-5FCE-0000-0010CC8D2A00}2956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019757Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:12.463{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-30BC-5FCE-0000-0010CC8D2A00}2956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019758Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:12.463{7E7FFDA1-18AF-5FCE-0000-0010FA420000}6402404C:\Windows\system32\csrss.exe{7E7FFDA1-30BC-5FCE-0000-0010CC8D2A00}2956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019759Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:12.463{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019760Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:12.463{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019761Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:12.463{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019762Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:12.463{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019763Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:12.463{7E7FFDA1-1942-5FCE-0000-0010B3850600}46884704C:\Windows\system32\conhost.exe{7E7FFDA1-30BC-5FCE-0000-0010CC8D2A00}2956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019764Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:12.604{7E7FFDA1-30BC-5FCE-0000-0010CC8D2A00}29566112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019748Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:11.620{7E7FFDA1-30BB-5FCE-0000-00101B8C2A00}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7E7FFDA1-18AF-5FCE-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7E7FFDA1-1941-5FCE-0000-0010A5780600}868C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019749Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:11.620{7E7FFDA1-1941-5FCE-0000-0010A5780600}8682920C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7E7FFDA1-30BB-5FCE-0000-00101B8C2A00}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019750Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:11.620{7E7FFDA1-18AF-5FCE-0000-0010FA420000}640788C:\Windows\system32\csrss.exe{7E7FFDA1-30BB-5FCE-0000-00101B8C2A00}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019751Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:11.620{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019752Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:11.620{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019753Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:11.620{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019754Microsoft-Windows-Sysmon/Operationalwin-dc-633.attackrange.local2020-12-07 13:40:11.620{7E7FFDA1-18B1-5FCE-0000-0010ED650000}5885296C:\Windows\system32\svchost.exe{7E7FFDA1-18C1-5FCE-0000-0010E5BF0200}3080C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\Sys