10341000x800000000000000014491Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:28:40.328{0309FDEB-F84A-5FA8-AB00-000000008801}30124884C:\Windows\system32\conhost.exe{0309FDEB-FDB8-5FA8-8C06-000000008801}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014490Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:28:40.328{0309FDEB-F7AD-5FA8-0C00-000000008801}5961120C:\Windows\system32\svchost.exe{0309FDEB-F7BD-5FA8-2F00-000000008801}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014489Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:28:40.328{0309FDEB-F7AD-5FA8-0C00-000000008801}5961120C:\Windows\system32\svchost.exe{0309FDEB-F7BD-5FA8-2F00-000000008801}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014488Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:28:40.328{0309FDEB-F7AD-5FA8-0C00-000000008801}5961120C:\Windows\system32\svchost.exe{0309FDEB-F7BD-5FA8-2F00-000000008801}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014487Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:28:40.328{0309FDEB-F7AD-5FA8-0C00-000000008801}5961120C:\Windows\system32\svchost.exe{0309FDEB-F7BD-5FA8-2F00-000000008801}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014486Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:28:40.328{0309FDEB-F7AB-5FA8-0500-000000008801}6442416C:\Windows\system32\csrss.exe{0309FDEB-FDB8-5FA8-8C06-000000008801}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000014485Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:28:40.328{0309FDEB-F84A-5FA8-A700-000000008801}12483500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0309FDEB-FDB8-5FA8-8C06-000000008801}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000014484Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:28:40.328{0309FDEB-FDB8-5FA8-8C06-000000008801}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0309FDEB-F7AB-5FA8-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{0309FDEB-F84A-5FA8-A700-000000008801}1248C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000014508Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:28:41.670{0309FDEB-F84A-5FA8-AB00-000000008801}30124884C:\Windows\system32\conhost.exe{0309FDEB-FDB9-5FA8-8E06-000000008801}4820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014507Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:28:41.670{0309FDEB-F7AD-5FA8-0C00-000000008801}5961120C:\Windows\system32\svchost.exe{0309FDEB-F7BD-5FA8-2F00-000000008801}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014506Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:28:41.670{0309FDEB-F7AD-5FA8-0C00-000000008801}5961120C:\Windows\system32\svchost.exe{0309FDEB-F7BD-5FA8-2F00-000000008801}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014505Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:28:41.670{0309FDEB-F7AD-5FA8-0C00-000000008801}5961120C:\Windows\system32\svchost.exe{0309FDEB-F7BD-5FA8-2F00-000000008801}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014504Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:28:41.670{0309FDEB-F7AD-5FA8-0C00-000000008801}5961120C:\Windows\system32\svchost.exe{0309FDEB-F7BD-5FA8-2F00-000000008801}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014503Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:28:41.670{0309FDEB-F7AB-5FA8-0500-000000008801}6441220C:\Windows\system32\csrss.exe{0309FDEB-FDB9-5FA8-8E06-000000008801}4820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000014502Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:28:41.670{0309FDEB-F84A-5FA8-A700-000000008801}12483500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0309FDEB-FDB9-5FA8-8E06-000000008801}4820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000014501Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:28:41.671{0309FDEB-FDB9-5FA8-8E06-000000008801}4820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0309FDEB-F7AB-5FA8-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{0309FDEB-F84A-5FA8-A700-000000008801}1248C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000014500Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:28:41.139{0309FDEB-FDB8-5FA8-8D06-000000008801}58685720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{0309FDEB-F84A-5FA8-A700-000000008801}1248C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014499Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:28:40.998{0309FDEB-F84A-5FA8-AB00-000000008801}30124884C:\Windows\system32\conhost.exe{0309FDEB-FDB8-5FA8-8D06-000000008801}5868C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014498Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:28:40.998{0309FDEB-F7AD-5FA8-0C00-000000008801}5961120C:\Windows\system32\svchost.exe{0309FDEB-F7BD-5FA8-2F00-000000008801}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014497Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:28:40.998{0309FDEB-F7AD-5FA8-0C00-000000008801}5961120C:\Windows\system32\svchost.exe{0309FDEB-F7BD-5FA8-2F00-000000008801}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014496Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:28:40.998{0309FDEB-F7AD-5FA8-0C00-000000008801}5961120C:\Windows\system32\svchost.exe{0309FDEB-F7BD-5FA8-2F00-000000008801}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014495Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:28:40.998{0309FDEB-F7AD-5FA8-0C00-000000008801}5961120C:\Windows\system32\svchost.exe{0309FDEB-F7BD-5FA8-2F00-000000008801}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014494Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:28:40.998{0309FDEB-F7AB-5FA8-0500-000000008801}644660C:\Windows\system32\csrss.exe{0309FDEB-FDB8-5FA8-8D06-000000008801}5868C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000014493Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:28:40.998{0309FDEB-F84A-5FA8-A700-000000008801}12483500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0309FDEB-FDB8-5FA8-8D06-000000008801}5868C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000014492Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:28:40.999{0309FDEB-FDB8-5FA8-8D06-000000008801}5868C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0309FDEB-F7AB-5FA8-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{0309FDEB-F84A-5FA8-A700-000000008801}1248C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000014517Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:28:42.483{0309FDEB-FDBA-5FA8-8F06-000000008801}41764312C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0309FDEB-F84A-5FA8-A700-000000008801}1248C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014516Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:28:42.342{0309FDEB-F84A-5FA8-AB00-000000008801}30124884C:\Windows\system32\conhost.exe{0309FDEB-FDBA-5FA8-8F06-000000008801}4176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014515Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:28:42.342{0309FDEB-F7AD-5FA8-0C00-000000008801}5961120C:\Windows\system32\svchost.exe{0309FDEB-F7BD-5FA8-2F00-000000008801}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014514Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:28:42.342{0309FDEB-F7AD-5FA8-0C00-000000008801}5961120C:\Windows\system32\svchost.exe{0309FDEB-F7BD-5FA8-2F00-000000008801}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014513Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:28:42.342{0309FDEB-F7AD-5FA8-0C00-000000008801}5961120C:\Windows\system32\svchost.exe{0309FDEB-F7BD-5FA8-2F00-000000008801}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014512Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:28:42.342{0309FDEB-F7AD-5FA8-0C00-000000008801}5961120C:\Windows\system32\svchost.exe{0309FDEB-F7BD-5FA8-2F00-000000008801}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014511Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:28:42.342{0309FDEB-F7AB-5FA8-0500-000000008801}6442420C:\Windows\system32\csrss.exe{0309FDEB-FDBA-5FA8-8F06-000000008801}4176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000014510Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:28:42.342{0309FDEB-F84A-5FA8-A700-000000008801}12483500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0309FDEB-FDBA-5FA8-8F06-000000008801}4176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000014509Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:28:42.343{0309FDEB-FDBA-5FA8-8F06-000000008801}4176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0309FDEB-F7AB-5FA8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0309FDEB-F84A-5FA8-A700-000000008801}1248C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000014526Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:28:43.483{0309FDEB-FDBB-5FA8-9006-000000008801}38286112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0309FDEB-F84A-5FA8-A700-000000008801}1248C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014525Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:28:43.342{0309FDEB-F84A-5FA8-AB00-000000008801}30124884C:\Windows\system32\conhost.exe{0309FDEB-FDBB-5FA8-9006-000000008801}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014524Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:28:43.342{0309FDEB-F7AD-5FA8-0C00-000000008801}5961120C:\Windows\system32\svchost.exe{0309FDEB-F7BD-5FA8-2F00-000000008801}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014523Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:28:43.342{0309FDEB-F7AD-5FA8-0C00-000000008801}5961120C:\Windows\system32\svchost.exe{0309FDEB-F7BD-5FA8-2F00-000000008801}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014522Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:28:43.342{0309FDEB-F7AD-5FA8-0C00-000000008801}5961120C:\Windows\system32\svchost.exe{0309FDEB-F7BD-5FA8-2F00-000000008801}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014521Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:28:43.342{0309FDEB-F7AD-5FA8-0C00-000000008801}5961120C:\Windows\system32\svchost.exe{0309FDEB-F7BD-5FA8-2F00-000000008801}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014520Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:28:43.342{0309FDEB-F7AB-5FA8-0500-000000008801}644660C:\Windows\system32\csrss.exe{0309FDEB-FDBB-5FA8-9006-000000008801}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000014519Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:28:43.342{0309FDEB-F84A-5FA8-A700-000000008801}12483500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0309FDEB-FDBB-5FA8-9006-000000008801}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000014518Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:28:43.343{0309FDEB-FDBB-5FA8-9006-000000008801}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{0309FDEB-F7AB-5FA8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0309FDEB-F84A-5FA8-A700-000000008801}1248C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000014535Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:28:44.483{0309FDEB-FDBC-5FA8-9106-000000008801}56445980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{0309FDEB-F84A-5FA8-A700-000000008801}1248C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014534Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:28:44.342{0309FDEB-F84A-5FA8-AB00-000000008801}30124884C:\Windows\system32\conhost.exe{0309FDEB-FDBC-5FA8-9106-000000008801}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014533Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:28:44.342{0309FDEB-F7AD-5FA8-0C00-000000008801}5961120C:\Windows\system32\svchost.exe{0309FDEB-F7BD-5FA8-2F00-000000008801}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014532Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:28:44.342{0309FDEB-F7AD-5FA8-0C00-000000008801}5961120C:\Windows\system32\svchost.exe{0309FDEB-F7BD-5FA8-2F00-000000008801}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014531Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:28:44.342{0309FDEB-F7AD-5FA8-0C00-000000008801}5961120C:\Windows\system32\svchost.exe{0309FDEB-F7BD-5FA8-2F00-000000008801}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014530Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:28:44.342{0309FDEB-F7AD-5FA8-0C00-000000008801}5961120C:\Windows\system32\svchost.exe{0309FDEB-F7BD-5FA8-2F00-000000008801}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014529Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:28:44.342{0309FDEB-F7AB-5FA8-0500-000000008801}6441220C:\Windows\system32\csrss.exe{0309FDEB-FDBC-5FA8-9106-000000008801}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000014528Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:28:44.342{0309FDEB-F84A-5FA8-A700-000000008801}12483500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0309FDEB-FDBC-5FA8-9106-000000008801}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000014527Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:28:44.342{0309FDEB-FDBC-5FA8-9106-000000008801}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0309FDEB-F7AB-5FA8-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{0309FDEB-F84A-5FA8-A700-000000008801}1248C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000014543Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:28:45.436{0309FDEB-F84A-5FA8-AB00-000000008801}30124884C:\Windows\system32\conhost.exe{0309FDEB-FDBD-5FA8-9206-000000008801}3016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014542Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:28:45.436{0309FDEB-F7AD-5FA8-0C00-000000008801}5961120C:\Windows\system32\svchost.exe{0309FDEB-F7BD-5FA8-2F00-000000008801}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014541Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:28:45.436{0309FDEB-F7AD-5FA8-0C00-000000008801}5961120C:\Windows\system32\svchost.exe{0309FDEB-F7BD-5FA8-2F00-000000008801}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014540Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:28:45.436{0309FDEB-F7AD-5FA8-0C00-000000008801}5961120C:\Windows\system32\svchost.exe{0309FDEB-F7BD-5FA8-2F00-000000008801}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014539Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:28:45.436{0309FDEB-F7AD-5FA8-0C00-000000008801}5961120C:\Windows\system32\svchost.exe{0309FDEB-F7BD-5FA8-2F00-000000008801}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014538Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:28:45.436{0309FDEB-F7AB-5FA8-0500-000000008801}644660C:\Windows\system32\csrss.exe{0309FDEB-FDBD-5FA8-9206-000000008801}3016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000014537Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:28:45.436{0309FDEB-F84A-5FA8-A700-000000008801}12483500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0309FDEB-FDBD-5FA8-9206-000000008801}3016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000014536Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:28:45.436{0309FDEB-FDBD-5FA8-9206-000000008801}3016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0309FDEB-F7AB-5FA8-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{0309FDEB-F84A-5FA8-A700-000000008801}1248C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000014569Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:29:33.809{0309FDEB-F7AD-5FA8-0D00-000000008801}988640C:\Windows\system32\svchost.exe{0309FDEB-F85A-5FA8-0201-000000008801}5128C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014568Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:29:33.809{0309FDEB-F7AD-5FA8-0D00-000000008801}988640C:\Windows\system32\svchost.exe{0309FDEB-F85A-5FA8-0201-000000008801}5128C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014567Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:29:33.809{0309FDEB-F7AD-5FA8-0D00-000000008801}988640C:\Windows\system32\svchost.exe{0309FDEB-F85A-5FA8-0201-000000008801}5128C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014566Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:29:33.809{0309FDEB-F7AD-5FA8-0D00-000000008801}988640C:\Windows\system32\svchost.exe{0309FDEB-F85A-5FA8-0201-000000008801}5128C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014565Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:29:33.809{0309FDEB-F7AD-5FA8-0D00-000000008801}988640C:\Windows\system32\svchost.exe{0309FDEB-F85A-5FA8-0201-000000008801}5128C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014564Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:29:33.809{0309FDEB-F7AD-5FA8-0D00-000000008801}988640C:\Windows\system32\svchost.exe{0309FDEB-F85A-5FA8-0201-000000008801}5128C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014563Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:29:33.809{0309FDEB-F7AD-5FA8-0D00-000000008801}988640C:\Windows\system32\svchost.exe{0309FDEB-F85A-5FA8-0201-000000008801}5128C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014562Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:29:33.809{0309FDEB-F7AD-5FA8-0D00-000000008801}988640C:\Windows\system32\svchost.exe{0309FDEB-F85B-5FA8-0301-000000008801}2156C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014561Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:29:33.809{0309FDEB-F7AD-5FA8-0D00-000000008801}988640C:\Windows\system32\svchost.exe{0309FDEB-F85B-5FA8-0301-000000008801}2156C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014560Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:29:33.809{0309FDEB-F7AD-5FA8-0D00-000000008801}988640C:\Windows\system32\svchost.exe{0309FDEB-F85B-5FA8-0301-000000008801}2156C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014559Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:29:33.809{0309FDEB-F7AD-5FA8-0D00-000000008801}988640C:\Windows\system32\svchost.exe{0309FDEB-F84E-5FA8-D800-000000008801}4552C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014558Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:29:33.809{0309FDEB-F7AD-5FA8-0D00-000000008801}988640C:\Windows\system32\svchost.exe{0309FDEB-F84E-5FA8-D800-000000008801}4552C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014557Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:29:33.809{0309FDEB-F7AD-5FA8-0D00-000000008801}988640C:\Windows\system32\svchost.exe{0309FDEB-F84E-5FA8-D800-000000008801}4552C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014556Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:29:33.809{0309FDEB-F7AD-5FA8-0D00-000000008801}988640C:\Windows\system32\svchost.exe{0309FDEB-F84E-5FA8-D800-000000008801}4552C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014555Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:29:33.809{0309FDEB-F7AD-5FA8-0D00-000000008801}988640C:\Windows\system32\svchost.exe{0309FDEB-F84E-5FA8-D800-000000008801}4552C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014554Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:29:33.809{0309FDEB-F7AD-5FA8-0D00-000000008801}988640C:\Windows\system32\svchost.exe{0309FDEB-F84E-5FA8-D800-000000008801}4552C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014553Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:29:33.809{0309FDEB-F7AD-5FA8-0D00-000000008801}988640C:\Windows\system32\svchost.exe{0309FDEB-F84E-5FA8-D800-000000008801}4552C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014552Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:29:33.809{0309FDEB-F7AD-5FA8-0D00-000000008801}988640C:\Windows\system32\svchost.exe{0309FDEB-F84E-5FA8-D800-000000008801}4552C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014551Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:29:33.809{0309FDEB-F7AD-5FA8-0D00-000000008801}988640C:\Windows\system32\svchost.exe{0309FDEB-F84E-5FA8-D800-000000008801}4552C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014550Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:29:33.809{0309FDEB-F7AD-5FA8-0D00-000000008801}988640C:\Windows\system32\svchost.exe{0309FDEB-F84E-5FA8-D800-000000008801}4552C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014549Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:29:33.809{0309FDEB-F7AD-5FA8-0D00-000000008801}988640C:\Windows\system32\svchost.exe{0309FDEB-F84E-5FA8-D800-000000008801}4552C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014548Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:29:33.809{0309FDEB-F7AD-5FA8-0D00-000000008801}988640C:\Windows\system32\svchost.exe{0309FDEB-F84E-5FA8-D800-000000008801}4552C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014547Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:29:33.809{0309FDEB-F7AD-5FA8-0D00-000000008801}988640C:\Windows\system32\svchost.exe{0309FDEB-F84E-5FA8-D800-000000008801}4552C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014546Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:29:33.809{0309FDEB-F7AD-5FA8-0D00-000000008801}988640C:\Windows\system32\svchost.exe{0309FDEB-F84E-5FA8-D800-000000008801}4552C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014545Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:29:33.809{0309FDEB-F7AD-5FA8-0D00-000000008801}988640C:\Windows\system32\svchost.exe{0309FDEB-F84E-5FA8-D800-000000008801}4552C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014544Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:29:33.809{0309FDEB-F7AD-5FA8-0D00-000000008801}988640C:\Windows\system32\svchost.exe{0309FDEB-F84E-5FA8-D800-000000008801}4552C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014577Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:29:40.341{0309FDEB-F84A-5FA8-AB00-000000008801}30124884C:\Windows\system32\conhost.exe{0309FDEB-FDF4-5FA8-9306-000000008801}4436C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014576Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:29:40.341{0309FDEB-F7AD-5FA8-0C00-000000008801}5961120C:\Windows\system32\svchost.exe{0309FDEB-F7BD-5FA8-2F00-000000008801}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014575Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:29:40.341{0309FDEB-F7AD-5FA8-0C00-000000008801}5961120C:\Windows\system32\svchost.exe{0309FDEB-F7BD-5FA8-2F00-000000008801}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014574Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:29:40.341{0309FDEB-F7AD-5FA8-0C00-000000008801}5961120C:\Windows\system32\svchost.exe{0309FDEB-F7BD-5FA8-2F00-000000008801}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014573Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:29:40.341{0309FDEB-F7AD-5FA8-0C00-000000008801}5961120C:\Windows\system32\svchost.exe{0309FDEB-F7BD-5FA8-2F00-000000008801}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014572Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:29:40.341{0309FDEB-F7AB-5FA8-0500-000000008801}644660C:\Windows\system32\csrss.exe{0309FDEB-FDF4-5FA8-9306-000000008801}4436C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000014571Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:29:40.341{0309FDEB-F84A-5FA8-A700-000000008801}12483500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0309FDEB-FDF4-5FA8-9306-000000008801}4436C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000014570Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:29:40.341{0309FDEB-FDF4-5FA8-9306-000000008801}4436C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0309FDEB-F7AB-5FA8-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{0309FDEB-F84A-5FA8-A700-000000008801}1248C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000014594Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:29:41.684{0309FDEB-F84A-5FA8-AB00-000000008801}30124884C:\Windows\system32\conhost.exe{0309FDEB-FDF5-5FA8-9506-000000008801}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014593Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:29:41.684{0309FDEB-F7AD-5FA8-0C00-000000008801}5961120C:\Windows\system32\svchost.exe{0309FDEB-F7BD-5FA8-2F00-000000008801}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014592Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:29:41.684{0309FDEB-F7AD-5FA8-0C00-000000008801}5961120C:\Windows\system32\svchost.exe{0309FDEB-F7BD-5FA8-2F00-000000008801}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014591Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:29:41.684{0309FDEB-F7AD-5FA8-0C00-000000008801}5961120C:\Windows\system32\svchost.exe{0309FDEB-F7BD-5FA8-2F00-000000008801}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014590Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:29:41.684{0309FDEB-F7AD-5FA8-0C00-000000008801}5961120C:\Windows\system32\svchost.exe{0309FDEB-F7BD-5FA8-2F00-000000008801}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014589Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:29:41.684{0309FDEB-F7AB-5FA8-0500-000000008801}6441220C:\Windows\system32\csrss.exe{0309FDEB-FDF5-5FA8-9506-000000008801}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000014588Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:29:41.684{0309FDEB-F84A-5FA8-A700-000000008801}12483500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0309FDEB-FDF5-5FA8-9506-000000008801}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000014587Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:29:41.685{0309FDEB-FDF5-5FA8-9506-000000008801}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0309FDEB-F7AB-5FA8-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{0309FDEB-F84A-5FA8-A700-000000008801}1248C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000014586Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:29:41.153{0309FDEB-FDF5-5FA8-9406-000000008801}47766480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{0309FDEB-F84A-5FA8-A700-000000008801}1248C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014585Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:29:41.012{0309FDEB-F84A-5FA8-AB00-000000008801}30124884C:\Windows\system32\conhost.exe{0309FDEB-FDF5-5FA8-9406-000000008801}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014584Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:29:41.012{0309FDEB-F7AD-5FA8-0C00-000000008801}5961120C:\Windows\system32\svchost.exe{0309FDEB-F7BD-5FA8-2F00-000000008801}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014583Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:29:41.012{0309FDEB-F7AD-5FA8-0C00-000000008801}5961120C:\Windows\system32\svchost.exe{0309FDEB-F7BD-5FA8-2F00-000000008801}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014582Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:29:41.012{0309FDEB-F7AD-5FA8-0C00-000000008801}5961120C:\Windows\system32\svchost.exe{0309FDEB-F7BD-5FA8-2F00-000000008801}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014581Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:29:41.012{0309FDEB-F7AD-5FA8-0C00-000000008801}5961120C:\Windows\system32\svchost.exe{0309FDEB-F7BD-5FA8-2F00-000000008801}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014580Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:29:41.012{0309FDEB-F7AB-5FA8-0500-000000008801}6442420C:\Windows\system32\csrss.exe{0309FDEB-FDF5-5FA8-9406-000000008801}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000014579Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:29:41.012{0309FDEB-F84A-5FA8-A700-000000008801}12483500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0309FDEB-FDF5-5FA8-9406-000000008801}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000014578Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:29:41.013{0309FDEB-FDF5-5FA8-9406-000000008801}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0309FDEB-F7AB-5FA8-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{0309FDEB-F84A-5FA8-A700-000000008801}1248C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000014603Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:29:42.497{0309FDEB-FDF6-5FA8-9606-000000008801}23566856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0309FDEB-F84A-5FA8-A700-000000008801}1248C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014602Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:29:42.356{0309FDEB-F84A-5FA8-AB00-000000008801}30124884C:\Windows\system32\conhost.exe{0309FDEB-FDF6-5FA8-9606-000000008801}2356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014601Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:29:42.356{0309FDEB-F7AD-5FA8-0C00-000000008801}5961120C:\Windows\system32\svchost.exe{0309FDEB-F7BD-5FA8-2F00-000000008801}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014600Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:29:42.356{0309FDEB-F7AD-5FA8-0C00-000000008801}5961120C:\Windows\system32\svchost.exe{0309FDEB-F7BD-5FA8-2F00-000000008801}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014599Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:29:42.356{0309FDEB-F7AD-5FA8-0C00-000000008801}5961120C:\Windows\system32\svchost.exe{0309FDEB-F7BD-5FA8-2F00-000000008801}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014598Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:29:42.356{0309FDEB-F7AD-5FA8-0C00-000000008801}5961120C:\Windows\system32\svchost.exe{0309FDEB-F7BD-5FA8-2F00-000000008801}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014597Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:29:42.356{0309FDEB-F7AB-5FA8-0500-000000008801}6442420C:\Windows\system32\csrss.exe{0309FDEB-FDF6-5FA8-9606-000000008801}2356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000014596Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:29:42.356{0309FDEB-F84A-5FA8-A700-000000008801}12483500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0309FDEB-FDF6-5FA8-9606-000000008801}2356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000014595Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:29:42.357{0309FDEB-FDF6-5FA8-9606-000000008801}2356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0309FDEB-F7AB-5FA8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0309FDEB-F84A-5FA8-A700-000000008801}1248C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000014612Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:29:43.481{0309FDEB-FDF7-5FA8-9706-000000008801}45566424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0309FDEB-F84A-5FA8-A700-000000008801}1248C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014611Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:29:43.340{0309FDEB-F84A-5FA8-AB00-000000008801}30124884C:\Windows\system32\conhost.exe{0309FDEB-FDF7-5FA8-9706-000000008801}4556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014610Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:29:43.340{0309FDEB-F7AD-5FA8-0C00-000000008801}5961120C:\Windows\system32\svchost.exe{0309FDEB-F7BD-5FA8-2F00-000000008801}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014609Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:29:43.340{0309FDEB-F7AD-5FA8-0C00-000000008801}5961120C:\Windows\system32\svchost.exe{0309FDEB-F7BD-5FA8-2F00-000000008801}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014608Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:29:43.340{0309FDEB-F7AD-5FA8-0C00-000000008801}5961120C:\Windows\system32\svchost.exe{0309FDEB-F7BD-5FA8-2F00-000000008801}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014607Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:29:43.340{0309FDEB-F7AD-5FA8-0C00-000000008801}5961120C:\Windows\system32\svchost.exe{0309FDEB-F7BD-5FA8-2F00-000000008801}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014606Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:29:43.340{0309FDEB-F7AB-5FA8-0500-000000008801}6441220C:\Windows\system32\csrss.exe{0309FDEB-FDF7-5FA8-9706-000000008801}4556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000014605Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:29:43.340{0309FDEB-F84A-5FA8-A700-000000008801}12483500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0309FDEB-FDF7-5FA8-9706-000000008801}4556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000014604Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:29:43.341{0309FDEB-FDF7-5FA8-9706-000000008801}4556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{0309FDEB-F7AB-5FA8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0309FDEB-F84A-5FA8-A700-000000008801}1248C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000014621Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:29:44.481{0309FDEB-FDF8-5FA8-9806-000000008801}61646096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{0309FDEB-F84A-5FA8-A700-000000008801}1248C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014620Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:29:44.340{0309FDEB-F84A-5FA8-AB00-000000008801}30124884C:\Windows\system32\conhost.exe{0309FDEB-FDF8-5FA8-9806-000000008801}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014619Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:29:44.340{0309FDEB-F7AD-5FA8-0C00-000000008801}596648C:\Windows\system32\svchost.exe{0309FDEB-F7BD-5FA8-2F00-000000008801}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014618Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:29:44.340{0309FDEB-F7AD-5FA8-0C00-000000008801}596648C:\Windows\system32\svchost.exe{0309FDEB-F7BD-5FA8-2F00-000000008801}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014617Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:29:44.340{0309FDEB-F7AD-5FA8-0C00-000000008801}596648C:\Windows\system32\svchost.exe{0309FDEB-F7BD-5FA8-2F00-000000008801}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014616Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:29:44.340{0309FDEB-F7AD-5FA8-0C00-000000008801}596648C:\Windows\system32\svchost.exe{0309FDEB-F7BD-5FA8-2F00-000000008801}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014615Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:29:44.340{0309FDEB-F7AB-5FA8-0500-000000008801}644768C:\Windows\system32\csrss.exe{0309FDEB-FDF8-5FA8-9806-000000008801}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000014614Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:29:44.340{0309FDEB-F84A-5FA8-A700-000000008801}12483500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0309FDEB-FDF8-5FA8-9806-000000008801}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000014613Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:29:44.341{0309FDEB-FDF8-5FA8-9806-000000008801}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0309FDEB-F7AB-5FA8-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{0309FDEB-F84A-5FA8-A700-000000008801}1248C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000014635Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:29:45.434{0309FDEB-F84A-5FA8-AB00-000000008801}30124884C:\Windows\system32\conhost.exe{0309FDEB-FDF9-5FA8-9906-000000008801}5876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014634Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:29:45.434{0309FDEB-F7AD-5FA8-0C00-000000008801}596648C:\Windows\system32\svchost.exe{0309FDEB-F7BD-5FA8-2F00-000000008801}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014633Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:29:45.434{0309FDEB-F7AD-5FA8-0C00-000000008801}596648C:\Windows\system32\svchost.exe{0309FDEB-F7BD-5FA8-2F00-000000008801}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014632Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:29:45.434{0309FDEB-F7AD-5FA8-0C00-000000008801}596648C:\Windows\system32\svchost.exe{0309FDEB-F7BD-5FA8-2F00-000000008801}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014631Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:29:45.434{0309FDEB-F7AD-5FA8-0C00-000000008801}596648C:\Windows\system32\svchost.exe{0309FDEB-F7BD-5FA8-2F00-000000008801}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014630Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:29:45.434{0309FDEB-F7AB-5FA8-0500-000000008801}6442416C:\Windows\system32\csrss.exe{0309FDEB-FDF9-5FA8-9906-000000008801}5876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000014629Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:29:45.434{0309FDEB-F84A-5FA8-A700-000000008801}12483500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0309FDEB-FDF9-5FA8-9906-000000008801}5876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000014628Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:29:45.435{0309FDEB-FDF9-5FA8-9906-000000008801}5876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0309FDEB-F7AB-5FA8-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{0309FDEB-F84A-5FA8-A700-000000008801}1248C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000014627Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:29:45.309{0309FDEB-F84E-5FA8-D800-000000008801}45526124C:\Windows\Explorer.EXE{0309FDEB-FA3A-5FA8-8F01-000000008801}6320C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+18319|C:\Windows\System32\SHELL32.dll+c51e0|C:\Windows\System32\SHELL32.dll+c5a07|C:\Windows\Explorer.EXE+3ada8|C:\Windows\Explorer.EXE+3ac34|C:\Windows\Explorer.EXE+3aba1|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014626Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:29:45.309{0309FDEB-F84E-5FA8-D800-000000008801}45526124C:\Windows\Explorer.EXE{0309FDEB-FA3A-5FA8-8F01-000000008801}6320C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c4c94|C:\Windows\System32\SHELL32.dll+c5a07|C:\Windows\Explorer.EXE+3ada8|C:\Windows\Explorer.EXE+3ac34|C:\Windows\Explorer.EXE+3aba1|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014625Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:29:45.309{0309FDEB-F84E-5FA8-D800-000000008801}45526068C:\Windows\Explorer.EXE{0309FDEB-FA3A-5FA8-9001-000000008801}2996C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c4a3f|C:\Windows\System32\SHELL32.dll+c61b0|C:\Windows\System32\TwinUI.dll+144fa1|C:\Windows\System32\TwinUI.dll+14580f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014624Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:29:45.309{0309FDEB-F84E-5FA8-D800-000000008801}45526068C:\Windows\Explorer.EXE{0309FDEB-FA3A-5FA8-9001-000000008801}2996C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123bc0|C:\Windows\System32\SHELL32.dll+c616c|C:\Windows\System32\TwinUI.dll+144fa1|C:\Windows\System32\TwinUI.dll+14580f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014623Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:29:45.309{0309FDEB-F84E-5FA8-D800-000000008801}45526068C:\Windows\Explorer.EXE{0309FDEB-FA3A-5FA8-9001-000000008801}2996C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c4c94|C:\Windows\System32\SHELL32.dll+c6140|C:\Windows\System32\TwinUI.dll+144fa1|C:\Windows\System32\TwinUI.dll+14580f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014622Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:29:45.309{0309FDEB-F84E-5FA8-D800-000000008801}45526068C:\Windows\Explorer.EXE{0309FDEB-FA3A-5FA8-9001-000000008801}2996C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+144dd9|C:\Windows\System32\TwinUI.dll+14580f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000014636Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.localDownloads2020-11-09 08:29:58.293{0309FDEB-FA3A-5FA8-8F01-000000008801}6320C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\Downloads\GetYouFiles.txt2020-11-09 08:29:58.293 10341000x800000000000000014640Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:30:35.245{0309FDEB-F7AD-5FA8-0C00-000000008801}596648C:\Windows\system32\svchost.exe{0309FDEB-F7AD-5FA8-1600-000000008801}1616C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014639Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:30:35.245{0309FDEB-F7AD-5FA8-0C00-000000008801}596648C:\Windows\system32\svchost.exe{0309FDEB-F7AD-5FA8-1600-000000008801}1616C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014638Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:30:35.245{0309FDEB-F7AD-5FA8-0C00-000000008801}596648C:\Windows\system32\svchost.exe{0309FDEB-F7AD-5FA8-1600-000000008801}1616C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014637Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:30:35.105{0309FDEB-F7AB-5FA8-0B00-000000008801}860984C:\Windows\system32\lsass.exe{0309FDEB-F7AA-5FA8-0100-000000008801}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31819|C:\Windows\system32\lsasrv.dll+2f177|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000014648Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:30:40.339{0309FDEB-F84A-5FA8-AB00-000000008801}30124884C:\Windows\system32\conhost.exe{0309FDEB-FE30-5FA8-9A06-000000008801}7100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014647Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:30:40.339{0309FDEB-F7AD-5FA8-0C00-000000008801}596648C:\Windows\system32\svchost.exe{0309FDEB-F7BD-5FA8-2F00-000000008801}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014646Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:30:40.339{0309FDEB-F7AD-5FA8-0C00-000000008801}596648C:\Windows\system32\svchost.exe{0309FDEB-F7BD-5FA8-2F00-000000008801}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014645Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:30:40.339{0309FDEB-F7AD-5FA8-0C00-000000008801}596648C:\Windows\system32\svchost.exe{0309FDEB-F7BD-5FA8-2F00-000000008801}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014644Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:30:40.339{0309FDEB-F7AD-5FA8-0C00-000000008801}596648C:\Windows\system32\svchost.exe{0309FDEB-F7BD-5FA8-2F00-000000008801}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014643Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:30:40.339{0309FDEB-F7AB-5FA8-0500-000000008801}644768C:\Windows\system32\csrss.exe{0309FDEB-FE30-5FA8-9A06-000000008801}7100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000014642Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:30:40.339{0309FDEB-F84A-5FA8-A700-000000008801}12483500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0309FDEB-FE30-5FA8-9A06-000000008801}7100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000014641Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:30:40.340{0309FDEB-FE30-5FA8-9A06-000000008801}7100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0309FDEB-F7AB-5FA8-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{0309FDEB-F84A-5FA8-A700-000000008801}1248C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000014665Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:30:41.683{0309FDEB-F84A-5FA8-AB00-000000008801}30124884C:\Windows\system32\conhost.exe{0309FDEB-FE31-5FA8-9C06-000000008801}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014664Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:30:41.683{0309FDEB-F7AD-5FA8-0C00-000000008801}596648C:\Windows\system32\svchost.exe{0309FDEB-F7BD-5FA8-2F00-000000008801}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014663Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:30:41.683{0309FDEB-F7AD-5FA8-0C00-000000008801}596648C:\Windows\system32\svchost.exe{0309FDEB-F7BD-5FA8-2F00-000000008801}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014662Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:30:41.683{0309FDEB-F7AD-5FA8-0C00-000000008801}596648C:\Windows\system32\svchost.exe{0309FDEB-F7BD-5FA8-2F00-000000008801}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014661Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:30:41.683{0309FDEB-F7AD-5FA8-0C00-000000008801}596648C:\Windows\system32\svchost.exe{0309FDEB-F7BD-5FA8-2F00-000000008801}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014660Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:30:41.683{0309FDEB-F7AB-5FA8-0500-000000008801}6442420C:\Windows\system32\csrss.exe{0309FDEB-FE31-5FA8-9C06-000000008801}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000014659Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:30:41.683{0309FDEB-F84A-5FA8-A700-000000008801}12483500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0309FDEB-FE31-5FA8-9C06-000000008801}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000014658Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:30:41.683{0309FDEB-FE31-5FA8-9C06-000000008801}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0309FDEB-F7AB-5FA8-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{0309FDEB-F84A-5FA8-A700-000000008801}1248C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000014657Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:30:41.151{0309FDEB-FE31-5FA8-9B06-000000008801}66445892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{0309FDEB-F84A-5FA8-A700-000000008801}1248C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014656Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:30:41.011{0309FDEB-F84A-5FA8-AB00-000000008801}30124884C:\Windows\system32\conhost.exe{0309FDEB-FE31-5FA8-9B06-000000008801}6644C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014655Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:30:41.011{0309FDEB-F7AD-5FA8-0C00-000000008801}596648C:\Windows\system32\svchost.exe{0309FDEB-F7BD-5FA8-2F00-000000008801}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014654Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:30:41.011{0309FDEB-F7AD-5FA8-0C00-000000008801}596648C:\Windows\system32\svchost.exe{0309FDEB-F7BD-5FA8-2F00-000000008801}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014653Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:30:41.011{0309FDEB-F7AD-5FA8-0C00-000000008801}596648C:\Windows\system32\svchost.exe{0309FDEB-F7BD-5FA8-2F00-000000008801}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014652Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:30:41.011{0309FDEB-F7AD-5FA8-0C00-000000008801}596648C:\Windows\system32\svchost.exe{0309FDEB-F7BD-5FA8-2F00-000000008801}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014651Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:30:41.011{0309FDEB-F7AB-5FA8-0500-000000008801}6441220C:\Windows\system32\csrss.exe{0309FDEB-FE31-5FA8-9B06-000000008801}6644C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000014650Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:30:41.011{0309FDEB-F84A-5FA8-A700-000000008801}12483500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0309FDEB-FE31-5FA8-9B06-000000008801}6644C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000014649Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:30:41.011{0309FDEB-FE31-5FA8-9B06-000000008801}6644C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0309FDEB-F7AB-5FA8-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{0309FDEB-F84A-5FA8-A700-000000008801}1248C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000014674Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:30:42.495{0309FDEB-FE32-5FA8-9D06-000000008801}54206344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0309FDEB-F84A-5FA8-A700-000000008801}1248C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014673Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:30:42.355{0309FDEB-F84A-5FA8-AB00-000000008801}30124884C:\Windows\system32\conhost.exe{0309FDEB-FE32-5FA8-9D06-000000008801}5420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014672Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:30:42.355{0309FDEB-F7AD-5FA8-0C00-000000008801}596648C:\Windows\system32\svchost.exe{0309FDEB-F7BD-5FA8-2F00-000000008801}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014671Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:30:42.355{0309FDEB-F7AD-5FA8-0C00-000000008801}596648C:\Windows\system32\svchost.exe{0309FDEB-F7BD-5FA8-2F00-000000008801}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014670Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:30:42.355{0309FDEB-F7AD-5FA8-0C00-000000008801}596648C:\Windows\system32\svchost.exe{0309FDEB-F7BD-5FA8-2F00-000000008801}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014669Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:30:42.355{0309FDEB-F7AD-5FA8-0C00-000000008801}596648C:\Windows\system32\svchost.exe{0309FDEB-F7BD-5FA8-2F00-000000008801}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014668Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:30:42.355{0309FDEB-F7AB-5FA8-0500-000000008801}6441220C:\Windows\system32\csrss.exe{0309FDEB-FE32-5FA8-9D06-000000008801}5420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000014667Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:30:42.355{0309FDEB-F84A-5FA8-A700-000000008801}12483500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0309FDEB-FE32-5FA8-9D06-000000008801}5420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000014666Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:30:42.355{0309FDEB-FE32-5FA8-9D06-000000008801}5420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0309FDEB-F7AB-5FA8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0309FDEB-F84A-5FA8-A700-000000008801}1248C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000014683Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:30:43.479{0309FDEB-FE33-5FA8-9E06-000000008801}57484848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0309FDEB-F84A-5FA8-A700-000000008801}1248C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014682Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:30:43.339{0309FDEB-F84A-5FA8-AB00-000000008801}30124884C:\Windows\system32\conhost.exe{0309FDEB-FE33-5FA8-9E06-000000008801}5748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014681Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:30:43.339{0309FDEB-F7AD-5FA8-0C00-000000008801}596648C:\Windows\system32\svchost.exe{0309FDEB-F7BD-5FA8-2F00-000000008801}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014680Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:30:43.339{0309FDEB-F7AD-5FA8-0C00-000000008801}596648C:\Windows\system32\svchost.exe{0309FDEB-F7BD-5FA8-2F00-000000008801}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014679Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:30:43.339{0309FDEB-F7AD-5FA8-0C00-000000008801}596648C:\Windows\system32\svchost.exe{0309FDEB-F7BD-5FA8-2F00-000000008801}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014678Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:30:43.339{0309FDEB-F7AD-5FA8-0C00-000000008801}596648C:\Windows\system32\svchost.exe{0309FDEB-F7BD-5FA8-2F00-000000008801}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014677Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:30:43.339{0309FDEB-F7AB-5FA8-0500-000000008801}6442420C:\Windows\system32\csrss.exe{0309FDEB-FE33-5FA8-9E06-000000008801}5748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000014676Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:30:43.339{0309FDEB-F84A-5FA8-A700-000000008801}12483500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0309FDEB-FE33-5FA8-9E06-000000008801}5748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000014675Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:30:43.339{0309FDEB-FE33-5FA8-9E06-000000008801}5748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{0309FDEB-F7AB-5FA8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0309FDEB-F84A-5FA8-A700-000000008801}1248C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000014692Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:30:44.479{0309FDEB-FE34-5FA8-9F06-000000008801}67286088C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{0309FDEB-F84A-5FA8-A700-000000008801}1248C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014691Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:30:44.339{0309FDEB-F84A-5FA8-AB00-000000008801}30124884C:\Windows\system32\conhost.exe{0309FDEB-FE34-5FA8-9F06-000000008801}6728C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014690Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:30:44.339{0309FDEB-F7AD-5FA8-0C00-000000008801}596648C:\Windows\system32\svchost.exe{0309FDEB-F7BD-5FA8-2F00-000000008801}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014689Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:30:44.339{0309FDEB-F7AD-5FA8-0C00-000000008801}596648C:\Windows\system32\svchost.exe{0309FDEB-F7BD-5FA8-2F00-000000008801}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014688Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:30:44.339{0309FDEB-F7AD-5FA8-0C00-000000008801}596648C:\Windows\system32\svchost.exe{0309FDEB-F7BD-5FA8-2F00-000000008801}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014687Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:30:44.339{0309FDEB-F7AD-5FA8-0C00-000000008801}596648C:\Windows\system32\svchost.exe{0309FDEB-F7BD-5FA8-2F00-000000008801}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014686Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:30:44.339{0309FDEB-F7AB-5FA8-0500-000000008801}6442416C:\Windows\system32\csrss.exe{0309FDEB-FE34-5FA8-9F06-000000008801}6728C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000014685Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:30:44.339{0309FDEB-F84A-5FA8-A700-000000008801}12483500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0309FDEB-FE34-5FA8-9F06-000000008801}6728C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000014684Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:30:44.339{0309FDEB-FE34-5FA8-9F06-000000008801}6728C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0309FDEB-F7AB-5FA8-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{0309FDEB-F84A-5FA8-A700-000000008801}1248C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000014700Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:30:45.433{0309FDEB-F84A-5FA8-AB00-000000008801}30124884C:\Windows\system32\conhost.exe{0309FDEB-FE35-5FA8-A006-000000008801}588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014699Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:30:45.433{0309FDEB-F7AD-5FA8-0C00-000000008801}596648C:\Windows\system32\svchost.exe{0309FDEB-F7BD-5FA8-2F00-000000008801}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014698Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:30:45.433{0309FDEB-F7AD-5FA8-0C00-000000008801}596648C:\Windows\system32\svchost.exe{0309FDEB-F7BD-5FA8-2F00-000000008801}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014697Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:30:45.433{0309FDEB-F7AD-5FA8-0C00-000000008801}596648C:\Windows\system32\svchost.exe{0309FDEB-F7BD-5FA8-2F00-000000008801}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014696Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:30:45.433{0309FDEB-F7AD-5FA8-0C00-000000008801}596648C:\Windows\system32\svchost.exe{0309FDEB-F7BD-5FA8-2F00-000000008801}2796C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78603|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+610fc|C:\Windows\System32\RPCRT4.dll+52734|C:\Windows\System32\RPCRT4.dll+5164d|C:\Windows\System32\RPCRT4.dll+51efb|C:\Windows\System32\RPCRT4.dll+2552c|C:\Windows\System32\RPCRT4.dll+259ac|C:\Windows\System32\RPCRT4.dll+1122c|C:\Windows\System32\RPCRT4.dll+12a8b|C:\Windows\System32\RPCRT4.dll+1efba|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000014695Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:30:45.433{0309FDEB-F7AB-5FA8-0500-000000008801}6442420C:\Windows\system32\csrss.exe{0309FDEB-FE35-5FA8-A006-000000008801}588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000014694Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:30:45.433{0309FDEB-F84A-5FA8-A700-000000008801}12483500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0309FDEB-FE35-5FA8-A006-000000008801}588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000014693Microsoft-Windows-Sysmon/Operationalwin-dc-934.attackrange.local-2020-11-09 08:30:45.433{0309FDEB-FE35-5FA8-A006-000000008801}588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0309FDEB-F7AB-5FA8-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{0309FDEB-F84A-5FA8-A700-000000008801}1248C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service