10341000x800000000000000016584Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:24:57.720{326AC46C-7C94-5FBF-0000-0010AB250600}30883244C:\Windows\system32\conhost.exe{326AC46C-8279-5FBF-0000-001030CF2800}5780C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016583Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:24:57.720{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016582Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:24:57.720{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016581Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:24:57.720{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016580Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:24:57.720{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016579Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:24:57.720{326AC46C-7C0D-5FBF-0000-001005430000}6402148C:\Windows\system32\csrss.exe{326AC46C-8279-5FBF-0000-001030CF2800}5780C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000016578Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:24:57.720{326AC46C-7C94-5FBF-0000-0010CF200600}4476884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{326AC46C-8279-5FBF-0000-001030CF2800}5780C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000016577Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:24:57.721{326AC46C-8279-5FBF-0000-001030CF2800}5780C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{326AC46C-7C0E-5FBF-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{326AC46C-7C94-5FBF-0000-0010CF200600}4476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000016592Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:24:58.423{326AC46C-7C94-5FBF-0000-0010AB250600}30883244C:\Windows\system32\conhost.exe{326AC46C-827A-5FBF-0000-0010E9D02800}3048C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016591Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:24:58.423{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016590Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:24:58.423{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016589Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:24:58.423{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016588Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:24:58.423{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016587Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:24:58.423{326AC46C-7C0D-5FBF-0000-001005430000}6402460C:\Windows\system32\csrss.exe{326AC46C-827A-5FBF-0000-0010E9D02800}3048C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000016586Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:24:58.423{326AC46C-7C94-5FBF-0000-0010CF200600}4476884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{326AC46C-827A-5FBF-0000-0010E9D02800}3048C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000016585Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:24:58.424{326AC46C-827A-5FBF-0000-0010E9D02800}3048C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{326AC46C-7C0E-5FBF-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{326AC46C-7C94-5FBF-0000-0010CF200600}4476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000016601Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:24:59.236{326AC46C-827B-5FBF-0000-0010A1D22800}64684984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{326AC46C-7C94-5FBF-0000-0010CF200600}4476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016600Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:24:59.095{326AC46C-7C94-5FBF-0000-0010AB250600}30883244C:\Windows\system32\conhost.exe{326AC46C-827B-5FBF-0000-0010A1D22800}6468C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016599Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:24:59.095{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016598Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:24:59.095{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016597Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:24:59.095{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016596Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:24:59.095{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016595Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:24:59.095{326AC46C-7C0D-5FBF-0000-001005430000}640656C:\Windows\system32\csrss.exe{326AC46C-827B-5FBF-0000-0010A1D22800}6468C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000016594Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:24:59.095{326AC46C-7C94-5FBF-0000-0010CF200600}4476884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{326AC46C-827B-5FBF-0000-0010A1D22800}6468C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000016593Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:24:59.096{326AC46C-827B-5FBF-0000-0010A1D22800}6468C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{326AC46C-7C0E-5FBF-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{326AC46C-7C94-5FBF-0000-0010CF200600}4476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000016619Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:25:00.829{326AC46C-827C-5FBF-0000-001015D62800}28405084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{326AC46C-7C94-5FBF-0000-0010CF200600}4476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016618Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:25:00.689{326AC46C-7C94-5FBF-0000-0010AB250600}30883244C:\Windows\system32\conhost.exe{326AC46C-827C-5FBF-0000-001015D62800}2840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016617Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:25:00.689{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016616Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:25:00.689{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016615Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:25:00.689{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016614Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:25:00.689{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016613Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:25:00.689{326AC46C-7C0D-5FBF-0000-001005430000}640800C:\Windows\system32\csrss.exe{326AC46C-827C-5FBF-0000-001015D62800}2840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000016612Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:25:00.689{326AC46C-7C94-5FBF-0000-0010CF200600}4476884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{326AC46C-827C-5FBF-0000-001015D62800}2840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000016611Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:25:00.690{326AC46C-827C-5FBF-0000-001015D62800}2840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{326AC46C-7C0E-5FBF-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{326AC46C-7C94-5FBF-0000-0010CF200600}4476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000016610Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:25:00.158{326AC46C-827C-5FBF-0000-001054D42800}39081488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{326AC46C-7C94-5FBF-0000-0010CF200600}4476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016609Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:25:00.017{326AC46C-7C94-5FBF-0000-0010AB250600}30883244C:\Windows\system32\conhost.exe{326AC46C-827C-5FBF-0000-001054D42800}3908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016608Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:25:00.017{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016607Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:25:00.017{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016606Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:25:00.017{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016605Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:25:00.017{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016604Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:25:00.017{326AC46C-7C0D-5FBF-0000-001005430000}6402148C:\Windows\system32\csrss.exe{326AC46C-827C-5FBF-0000-001054D42800}3908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000016603Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:25:00.017{326AC46C-7C94-5FBF-0000-0010CF200600}4476884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{326AC46C-827C-5FBF-0000-001054D42800}3908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000016602Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:25:00.018{326AC46C-827C-5FBF-0000-001054D42800}3908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{326AC46C-7C0E-5FBF-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{326AC46C-7C94-5FBF-0000-0010CF200600}4476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000016628Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:25:01.501{326AC46C-827D-5FBF-0000-0010D6D72800}57604704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{326AC46C-7C94-5FBF-0000-0010CF200600}4476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016627Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:25:01.361{326AC46C-7C94-5FBF-0000-0010AB250600}30883244C:\Windows\system32\conhost.exe{326AC46C-827D-5FBF-0000-0010D6D72800}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016626Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:25:01.361{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016625Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:25:01.361{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016624Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:25:01.361{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016623Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:25:01.361{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016622Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:25:01.361{326AC46C-7C0D-5FBF-0000-001005430000}640656C:\Windows\system32\csrss.exe{326AC46C-827D-5FBF-0000-0010D6D72800}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000016621Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:25:01.361{326AC46C-7C94-5FBF-0000-0010CF200600}4476884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{326AC46C-827D-5FBF-0000-0010D6D72800}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000016620Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:25:01.361{326AC46C-827D-5FBF-0000-0010D6D72800}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{326AC46C-7C0E-5FBF-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{326AC46C-7C94-5FBF-0000-0010CF200600}4476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000016636Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:25:03.283{326AC46C-7C94-5FBF-0000-0010AB250600}30883244C:\Windows\system32\conhost.exe{326AC46C-827F-5FBF-0000-00107BDA2800}2072C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016635Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:25:03.283{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016634Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:25:03.283{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016633Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:25:03.283{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016632Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:25:03.283{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016631Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:25:03.283{326AC46C-7C0D-5FBF-0000-001005430000}640800C:\Windows\system32\csrss.exe{326AC46C-827F-5FBF-0000-00107BDA2800}2072C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000016630Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:25:03.283{326AC46C-7C94-5FBF-0000-0010CF200600}4476884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{326AC46C-827F-5FBF-0000-00107BDA2800}2072C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000016629Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:25:03.283{326AC46C-827F-5FBF-0000-00107BDA2800}2072C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{326AC46C-7C0E-5FBF-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{326AC46C-7C94-5FBF-0000-0010CF200600}4476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000016642Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:25:08.923{326AC46C-7EC8-5FBF-0000-001074D40D00}35043344C:\Windows\Explorer.EXE{326AC46C-7EF8-5FBF-0000-00102BAA1600}6988C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+19439|C:\Windows\System32\SHELL32.dll+51390|C:\Windows\System32\SHELL32.dll+51f47|C:\Windows\Explorer.EXE+3ada8|C:\Windows\Explorer.EXE+3ac34|C:\Windows\Explorer.EXE+3aba1|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016641Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:25:08.923{326AC46C-7EC8-5FBF-0000-001074D40D00}35043344C:\Windows\Explorer.EXE{326AC46C-7EF8-5FBF-0000-00102BAA1600}6988C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51f47|C:\Windows\Explorer.EXE+3ada8|C:\Windows\Explorer.EXE+3ac34|C:\Windows\Explorer.EXE+3aba1|C:\Windows\System32\windows.storage.dll+f51c7|C:\Windows\System32\windows.storage.dll+f3f4f|C:\Windows\System32\windows.storage.dll+f246f|C:\Windows\System32\SHCORE.dll+328c6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016640Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:25:08.923{326AC46C-7EC8-5FBF-0000-001074D40D00}35045772C:\Windows\Explorer.EXE{326AC46C-7EF8-5FBF-0000-0010FFAA1600}6980C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+514bf|C:\Windows\System32\SHELL32.dll+519e0|C:\Windows\System32\TwinUI.dll+144fa1|C:\Windows\System32\TwinUI.dll+14580f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016639Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:25:08.923{326AC46C-7EC8-5FBF-0000-001074D40D00}35045772C:\Windows\Explorer.EXE{326AC46C-7EF8-5FBF-0000-0010FFAA1600}6980C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+e75c0|C:\Windows\System32\SHELL32.dll+5199c|C:\Windows\System32\TwinUI.dll+144fa1|C:\Windows\System32\TwinUI.dll+14580f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016638Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:25:08.923{326AC46C-7EC8-5FBF-0000-001074D40D00}35045772C:\Windows\Explorer.EXE{326AC46C-7EF8-5FBF-0000-0010FFAA1600}6980C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+50e44|C:\Windows\System32\SHELL32.dll+51970|C:\Windows\System32\TwinUI.dll+144fa1|C:\Windows\System32\TwinUI.dll+14580f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016637Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:25:08.923{326AC46C-7EC8-5FBF-0000-001074D40D00}35045772C:\Windows\Explorer.EXE{326AC46C-7EF8-5FBF-0000-0010FFAA1600}6980C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+144dd9|C:\Windows\System32\TwinUI.dll+14580f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016643Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:25:11.454{326AC46C-7C10-5FBF-0000-001009AA0000}6165100C:\Windows\system32\svchost.exe{326AC46C-7C11-5FBF-0000-001099BA0000}1148C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016644Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:25:43.548{326AC46C-7C10-5FBF-0000-001009AA0000}6165100C:\Windows\system32\svchost.exe{326AC46C-7C11-5FBF-0000-001099BA0000}1148C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000016657Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.localSetValue2020-11-26 10:25:52.861{326AC46C-7C0E-5FBF-0000-00104D530000}848C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\calcservice\ObjectNameLocalSystem 13241300x800000000000000016656Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.localT1031,T1050SetValue2020-11-26 10:25:52.861{326AC46C-7C0E-5FBF-0000-00104D530000}848C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\calcservice\ImagePath%%windir%%\system32\win32calc.exe 13241300x800000000000000016655Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.localSetValue2020-11-26 10:25:52.861{326AC46C-7C0E-5FBF-0000-00104D530000}848C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\calcservice\ErrorControlDWORD (0x00000001) 13241300x800000000000000016654Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.localT1031,T1050SetValue2020-11-26 10:25:52.861{326AC46C-7C0E-5FBF-0000-00104D530000}848C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\calcservice\StartDWORD (0x00000003) 13241300x800000000000000016653Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.localSetValue2020-11-26 10:25:52.861{326AC46C-7C0E-5FBF-0000-00104D530000}848C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\calcservice\TypeDWORD (0x00000010) 10341000x800000000000000016652Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:25:52.861{326AC46C-7EF8-5FBF-0000-0010FFAA1600}69806648C:\Windows\system32\conhost.exe{326AC46C-82B0-5FBF-0000-0010CEEC2800}6560C:\Windows\system32\sc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016651Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:25:52.861{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016650Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:25:52.861{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016649Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:25:52.861{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016648Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:25:52.861{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016647Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:25:52.861{326AC46C-7EC5-5FBF-0000-001050330C00}16523284C:\Windows\system32\csrss.exe{326AC46C-82B0-5FBF-0000-0010CEEC2800}6560C:\Windows\system32\sc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000016646Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:25:52.861{326AC46C-7EF8-5FBF-0000-00102BAA1600}69885264C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{326AC46C-82B0-5FBF-0000-0010CEEC2800}6560C:\Windows\system32\sc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+75579adb|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+74a1a6e5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+74a1a3b6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+754cbc9b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+749daf4c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+74a3941b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+74a1ca80|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+74a1ca80|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+74a1c911|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+74a0e896|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+74a1adc9|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+74a1a965|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+74a1a6e5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+74a1a3b6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+754cbc9b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+74a01217|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+74a007e7 154100x800000000000000016645Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:25:52.863{326AC46C-82B0-5FBF-0000-0010CEEC2800}6560C:\Windows\System32\sc.exe10.0.14393.0 (rs1_release.160715-1616)Service Control Manager Configuration ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationsc.exe"C:\Windows\system32\sc.exe" create calcservice binpath= %%windir%%\system32\win32calc.exeC:\Users\Administrator\ATTACKRANGE\Administrator{326AC46C-7EC6-5FBF-0000-00208F290D00}0xd298f2HighMD5=BD31EB150F6547D18329E5F00801D1CD,SHA256=8A775B86CE1A057E290CCD26C59C96070684468A3119790743A346CD54F4DFDF,IMPHASH=A68324ADB4F5664AF8A79E04062F4A92{326AC46C-7EF8-5FBF-0000-00102BAA1600}6988C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 10341000x800000000000000016665Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:25:57.736{326AC46C-7C94-5FBF-0000-0010AB250600}30883244C:\Windows\system32\conhost.exe{326AC46C-82B5-5FBF-0000-0010FFEE2800}5916C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016664Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:25:57.736{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016663Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:25:57.736{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016662Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:25:57.736{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016661Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:25:57.736{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016660Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:25:57.736{326AC46C-7C0D-5FBF-0000-001005430000}6402460C:\Windows\system32\csrss.exe{326AC46C-82B5-5FBF-0000-0010FFEE2800}5916C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000016659Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:25:57.736{326AC46C-7C94-5FBF-0000-0010CF200600}4476884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{326AC46C-82B5-5FBF-0000-0010FFEE2800}5916C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000016658Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:25:57.737{326AC46C-82B5-5FBF-0000-0010FFEE2800}5916C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{326AC46C-7C0E-5FBF-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{326AC46C-7C94-5FBF-0000-0010CF200600}4476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000016673Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:25:58.423{326AC46C-7C94-5FBF-0000-0010AB250600}30883244C:\Windows\system32\conhost.exe{326AC46C-82B6-5FBF-0000-0010A9F02800}3472C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016672Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:25:58.423{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016671Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:25:58.423{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016670Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:25:58.423{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016669Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:25:58.423{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016668Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:25:58.423{326AC46C-7C0D-5FBF-0000-001005430000}6401160C:\Windows\system32\csrss.exe{326AC46C-82B6-5FBF-0000-0010A9F02800}3472C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000016667Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:25:58.423{326AC46C-7C94-5FBF-0000-0010CF200600}4476884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{326AC46C-82B6-5FBF-0000-0010A9F02800}3472C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000016666Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:25:58.424{326AC46C-82B6-5FBF-0000-0010A9F02800}3472C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{326AC46C-7C0E-5FBF-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{326AC46C-7C94-5FBF-0000-0010CF200600}4476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000016682Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:25:59.173{326AC46C-82B7-5FBF-0000-001063F22800}5892648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{326AC46C-7C94-5FBF-0000-0010CF200600}4476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016681Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:25:59.033{326AC46C-7C94-5FBF-0000-0010AB250600}30883244C:\Windows\system32\conhost.exe{326AC46C-82B7-5FBF-0000-001063F22800}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016680Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:25:59.033{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016679Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:25:59.033{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016678Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:25:59.033{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016677Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:25:59.033{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016676Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:25:59.033{326AC46C-7C0D-5FBF-0000-001005430000}6401160C:\Windows\system32\csrss.exe{326AC46C-82B7-5FBF-0000-001063F22800}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000016675Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:25:59.033{326AC46C-7C94-5FBF-0000-0010CF200600}4476884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{326AC46C-82B7-5FBF-0000-001063F22800}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000016674Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:25:59.034{326AC46C-82B7-5FBF-0000-001063F22800}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{326AC46C-7C0E-5FBF-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{326AC46C-7C94-5FBF-0000-0010CF200600}4476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000016700Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:26:00.829{326AC46C-82B8-5FBF-0000-0010D7F52800}45802420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{326AC46C-7C94-5FBF-0000-0010CF200600}4476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016699Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:26:00.689{326AC46C-7C94-5FBF-0000-0010AB250600}30883244C:\Windows\system32\conhost.exe{326AC46C-82B8-5FBF-0000-0010D7F52800}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016698Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:26:00.689{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016697Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:26:00.689{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016696Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:26:00.689{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016695Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:26:00.689{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016694Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:26:00.689{326AC46C-7C0D-5FBF-0000-001005430000}6402148C:\Windows\system32\csrss.exe{326AC46C-82B8-5FBF-0000-0010D7F52800}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000016693Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:26:00.689{326AC46C-7C94-5FBF-0000-0010CF200600}4476884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{326AC46C-82B8-5FBF-0000-0010D7F52800}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000016692Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:26:00.689{326AC46C-82B8-5FBF-0000-0010D7F52800}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{326AC46C-7C0E-5FBF-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{326AC46C-7C94-5FBF-0000-0010CF200600}4476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000016691Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:26:00.157{326AC46C-82B8-5FBF-0000-001014F42800}49724376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{326AC46C-7C94-5FBF-0000-0010CF200600}4476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016690Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:26:00.017{326AC46C-7C94-5FBF-0000-0010AB250600}30883244C:\Windows\system32\conhost.exe{326AC46C-82B8-5FBF-0000-001014F42800}4972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016689Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:26:00.017{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016688Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:26:00.017{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016687Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:26:00.017{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016686Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:26:00.017{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016685Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:26:00.017{326AC46C-7C0D-5FBF-0000-001005430000}6401160C:\Windows\system32\csrss.exe{326AC46C-82B8-5FBF-0000-001014F42800}4972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000016684Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:26:00.017{326AC46C-7C94-5FBF-0000-0010CF200600}4476884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{326AC46C-82B8-5FBF-0000-001014F42800}4972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000016683Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:26:00.018{326AC46C-82B8-5FBF-0000-001014F42800}4972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{326AC46C-7C0E-5FBF-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{326AC46C-7C94-5FBF-0000-0010CF200600}4476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000016709Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:26:01.470{326AC46C-82B9-5FBF-0000-001096F72800}65085184C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{326AC46C-7C94-5FBF-0000-0010CF200600}4476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016708Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:26:01.314{326AC46C-7C94-5FBF-0000-0010AB250600}30883244C:\Windows\system32\conhost.exe{326AC46C-82B9-5FBF-0000-001096F72800}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016707Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:26:01.314{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016706Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:26:01.314{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016705Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:26:01.314{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016704Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:26:01.314{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016703Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:26:01.314{326AC46C-7C0D-5FBF-0000-001005430000}640656C:\Windows\system32\csrss.exe{326AC46C-82B9-5FBF-0000-001096F72800}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000016702Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:26:01.314{326AC46C-7C94-5FBF-0000-0010CF200600}4476884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{326AC46C-82B9-5FBF-0000-001096F72800}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000016701Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:26:01.315{326AC46C-82B9-5FBF-0000-001096F72800}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{326AC46C-7C0E-5FBF-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{326AC46C-7C94-5FBF-0000-0010CF200600}4476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000016740Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:26:02.579{326AC46C-7C10-5FBF-0000-001009AA0000}616576C:\Windows\system32\svchost.exe{326AC46C-7EDD-5FBF-0000-001031601100}5200C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016739Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:26:02.579{326AC46C-7C10-5FBF-0000-001009AA0000}616576C:\Windows\system32\svchost.exe{326AC46C-7EDD-5FBF-0000-001031601100}5200C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016738Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:26:02.579{326AC46C-7C10-5FBF-0000-001009AA0000}616576C:\Windows\system32\svchost.exe{326AC46C-7EDD-5FBF-0000-001031601100}5200C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016737Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:26:02.579{326AC46C-7C10-5FBF-0000-001009AA0000}616576C:\Windows\system32\svchost.exe{326AC46C-7EDD-5FBF-0000-001031601100}5200C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016736Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:26:02.579{326AC46C-7C10-5FBF-0000-001009AA0000}616576C:\Windows\system32\svchost.exe{326AC46C-7EDD-5FBF-0000-001031601100}5200C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016735Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:26:02.579{326AC46C-7C10-5FBF-0000-001009AA0000}616576C:\Windows\system32\svchost.exe{326AC46C-7EDD-5FBF-0000-001031601100}5200C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016734Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:26:02.579{326AC46C-7C10-5FBF-0000-001009AA0000}616576C:\Windows\system32\svchost.exe{326AC46C-7EDD-5FBF-0000-001031601100}5200C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016733Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:26:02.579{326AC46C-7C10-5FBF-0000-001009AA0000}616576C:\Windows\system32\svchost.exe{326AC46C-7EC8-5FBF-0000-001074D40D00}3504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016732Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:26:02.579{326AC46C-7C10-5FBF-0000-001009AA0000}616576C:\Windows\system32\svchost.exe{326AC46C-7EC8-5FBF-0000-001074D40D00}3504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016731Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:26:02.579{326AC46C-7C10-5FBF-0000-001009AA0000}616576C:\Windows\system32\svchost.exe{326AC46C-7EC8-5FBF-0000-001074D40D00}3504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016730Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:26:02.579{326AC46C-7C10-5FBF-0000-001009AA0000}616576C:\Windows\system32\svchost.exe{326AC46C-7EC8-5FBF-0000-001074D40D00}3504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016729Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:26:02.579{326AC46C-7C10-5FBF-0000-001009AA0000}616576C:\Windows\system32\svchost.exe{326AC46C-7EC8-5FBF-0000-001074D40D00}3504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016728Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:26:02.579{326AC46C-7C10-5FBF-0000-001009AA0000}616576C:\Windows\system32\svchost.exe{326AC46C-7EC8-5FBF-0000-001074D40D00}3504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016727Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:26:02.579{326AC46C-7C10-5FBF-0000-001009AA0000}616576C:\Windows\system32\svchost.exe{326AC46C-7EC8-5FBF-0000-001074D40D00}3504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016726Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:26:02.579{326AC46C-7C10-5FBF-0000-001009AA0000}616576C:\Windows\system32\svchost.exe{326AC46C-7EC8-5FBF-0000-001074D40D00}3504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016725Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:26:02.579{326AC46C-7C10-5FBF-0000-001009AA0000}616576C:\Windows\system32\svchost.exe{326AC46C-7EC8-5FBF-0000-001074D40D00}3504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016724Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:26:02.579{326AC46C-7C10-5FBF-0000-001009AA0000}616576C:\Windows\system32\svchost.exe{326AC46C-7EC8-5FBF-0000-001074D40D00}3504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016723Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:26:02.579{326AC46C-7C10-5FBF-0000-001009AA0000}616576C:\Windows\system32\svchost.exe{326AC46C-7EC8-5FBF-0000-001074D40D00}3504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016722Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:26:02.579{326AC46C-7C10-5FBF-0000-001009AA0000}616576C:\Windows\system32\svchost.exe{326AC46C-7EC8-5FBF-0000-001074D40D00}3504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016721Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:26:02.579{326AC46C-7C10-5FBF-0000-001009AA0000}616576C:\Windows\system32\svchost.exe{326AC46C-7EC8-5FBF-0000-001074D40D00}3504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016720Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:26:02.579{326AC46C-7C10-5FBF-0000-001009AA0000}616576C:\Windows\system32\svchost.exe{326AC46C-7EC8-5FBF-0000-001074D40D00}3504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016719Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:26:02.579{326AC46C-7C10-5FBF-0000-001009AA0000}616576C:\Windows\system32\svchost.exe{326AC46C-7EC8-5FBF-0000-0010D8EE0D00}1632C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016718Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:26:02.579{326AC46C-7C10-5FBF-0000-001009AA0000}616576C:\Windows\system32\svchost.exe{326AC46C-7EC8-5FBF-0000-0010D8EE0D00}1632C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016717Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:26:02.579{326AC46C-7C10-5FBF-0000-001009AA0000}616576C:\Windows\system32\svchost.exe{326AC46C-7EDD-5FBF-0000-001020381100}3460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016716Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:26:02.579{326AC46C-7C10-5FBF-0000-001009AA0000}616576C:\Windows\system32\svchost.exe{326AC46C-7EDD-5FBF-0000-001020381100}3460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016715Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:26:02.579{326AC46C-7C10-5FBF-0000-001009AA0000}616576C:\Windows\system32\svchost.exe{326AC46C-7EDD-5FBF-0000-001020381100}3460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016714Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:26:02.579{326AC46C-7C10-5FBF-0000-001009AA0000}616576C:\Windows\system32\svchost.exe{326AC46C-7EDD-5FBF-0000-001020381100}3460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016713Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:26:02.579{326AC46C-7C10-5FBF-0000-001009AA0000}616576C:\Windows\system32\svchost.exe{326AC46C-7EDD-5FBF-0000-001020381100}3460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016712Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:26:02.579{326AC46C-7C10-5FBF-0000-001009AA0000}616576C:\Windows\system32\svchost.exe{326AC46C-7EDD-5FBF-0000-001020381100}3460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016711Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:26:02.579{326AC46C-7C10-5FBF-0000-001009AA0000}616576C:\Windows\system32\svchost.exe{326AC46C-7EDD-5FBF-0000-001020381100}3460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016710Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:26:02.579{326AC46C-7C10-5FBF-0000-001009AA0000}616576C:\Windows\system32\svchost.exe{326AC46C-7EDD-5FBF-0000-001020381100}3460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016748Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:26:03.282{326AC46C-7C94-5FBF-0000-0010AB250600}30883244C:\Windows\system32\conhost.exe{326AC46C-82BB-5FBF-0000-0010C3FB2800}4520C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016747Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:26:03.282{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016746Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:26:03.282{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016745Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:26:03.282{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016744Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:26:03.282{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016743Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:26:03.282{326AC46C-7C0D-5FBF-0000-001005430000}640800C:\Windows\system32\csrss.exe{326AC46C-82BB-5FBF-0000-0010C3FB2800}4520C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000016742Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:26:03.282{326AC46C-7C94-5FBF-0000-0010CF200600}4476884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{326AC46C-82BB-5FBF-0000-0010C3FB2800}4520C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000016741Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:26:03.283{326AC46C-82BB-5FBF-0000-0010C3FB2800}4520C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{326AC46C-7C0E-5FBF-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{326AC46C-7C94-5FBF-0000-0010CF200600}4476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000016756Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:26:38.220{326AC46C-7EF8-5FBF-0000-0010FFAA1600}69806648C:\Windows\system32\conhost.exe{326AC46C-82DE-5FBF-0000-0010D00A2900}7164C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016755Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:26:38.220{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016754Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:26:38.220{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016753Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:26:38.220{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016752Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:26:38.220{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016751Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:26:38.220{326AC46C-7EC5-5FBF-0000-001050330C00}16523284C:\Windows\system32\csrss.exe{326AC46C-82DE-5FBF-0000-0010D00A2900}7164C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000016750Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:26:38.220{326AC46C-7EF8-5FBF-0000-00102BAA1600}69885264C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{326AC46C-82DE-5FBF-0000-0010D00A2900}7164C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+75579adb|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+74a1a6e5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+74a1a3b6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+754cbc9b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+749daf4c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+74a3941b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+74a1ca80|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+74a1ca80|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+74a1c911|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+74a0e896|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+74a1adc9|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+74a1a965|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+74a1a6e5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+74a1a3b6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+754cbc9b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+74a01217|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+74a007e7 154100x800000000000000016749Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:26:38.231{326AC46C-82DE-5FBF-0000-0010D00A2900}7164C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exe"C:\Windows\system32\reg.exe" add HKLM\SYSTEM\CurrentControlSet\Services\calcservice /v ImagePath /d %%windir%%\system32\cmd.exeC:\Users\Administrator\ATTACKRANGE\Administrator{326AC46C-7EC6-5FBF-0000-00208F290D00}0xd298f2HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{326AC46C-7EF8-5FBF-0000-00102BAA1600}6988C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 13241300x800000000000000016757Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.localT1031,T1050SetValue2020-11-26 10:26:44.345{326AC46C-82DE-5FBF-0000-0010D00A2900}7164C:\Windows\system32\reg.exeHKLM\System\CurrentControlSet\Services\calcservice\ImagePath%%windir%%\system32\cmd.exe 10341000x800000000000000016765Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:26:57.751{326AC46C-7C94-5FBF-0000-0010AB250600}30883244C:\Windows\system32\conhost.exe{326AC46C-82F1-5FBF-0000-0010710F2900}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016764Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:26:57.751{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016763Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:26:57.751{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016762Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:26:57.751{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016761Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:26:57.751{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016760Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:26:57.751{326AC46C-7C0D-5FBF-0000-001005430000}6402148C:\Windows\system32\csrss.exe{326AC46C-82F1-5FBF-0000-0010710F2900}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000016759Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:26:57.751{326AC46C-7C94-5FBF-0000-0010CF200600}4476884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{326AC46C-82F1-5FBF-0000-0010710F2900}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000016758Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:26:57.752{326AC46C-82F1-5FBF-0000-0010710F2900}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{326AC46C-7C0E-5FBF-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{326AC46C-7C94-5FBF-0000-0010CF200600}4476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000016773Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:26:58.438{326AC46C-7C94-5FBF-0000-0010AB250600}30883244C:\Windows\system32\conhost.exe{326AC46C-82F2-5FBF-0000-00101C112900}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016772Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:26:58.438{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016771Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:26:58.438{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016770Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:26:58.438{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016769Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:26:58.438{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016768Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:26:58.438{326AC46C-7C0D-5FBF-0000-001005430000}6402460C:\Windows\system32\csrss.exe{326AC46C-82F2-5FBF-0000-00101C112900}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000016767Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:26:58.438{326AC46C-7C94-5FBF-0000-0010CF200600}4476884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{326AC46C-82F2-5FBF-0000-00101C112900}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000016766Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:26:58.439{326AC46C-82F2-5FBF-0000-00101C112900}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{326AC46C-7C0E-5FBF-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{326AC46C-7C94-5FBF-0000-0010CF200600}4476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000016782Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:26:59.251{326AC46C-82F3-5FBF-0000-0010D2122900}58886040C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{326AC46C-7C94-5FBF-0000-0010CF200600}4476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016781Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:26:59.110{326AC46C-7C94-5FBF-0000-0010AB250600}30883244C:\Windows\system32\conhost.exe{326AC46C-82F3-5FBF-0000-0010D2122900}5888C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016780Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:26:59.110{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016779Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:26:59.110{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016778Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:26:59.110{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016777Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:26:59.110{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016776Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:26:59.110{326AC46C-7C0D-5FBF-0000-001005430000}6402460C:\Windows\system32\csrss.exe{326AC46C-82F3-5FBF-0000-0010D2122900}5888C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000016775Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:26:59.110{326AC46C-7C94-5FBF-0000-0010CF200600}4476884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{326AC46C-82F3-5FBF-0000-0010D2122900}5888C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000016774Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:26:59.111{326AC46C-82F3-5FBF-0000-0010D2122900}5888C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{326AC46C-7C0E-5FBF-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{326AC46C-7C94-5FBF-0000-0010CF200600}4476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000016800Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:27:00.813{326AC46C-82F4-5FBF-0000-001047162900}12004844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{326AC46C-7C94-5FBF-0000-0010CF200600}4476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016799Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:27:00.688{326AC46C-7C94-5FBF-0000-0010AB250600}30883244C:\Windows\system32\conhost.exe{326AC46C-82F4-5FBF-0000-001047162900}1200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016798Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:27:00.688{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016797Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:27:00.688{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016796Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:27:00.688{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016795Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:27:00.688{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016794Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:27:00.688{326AC46C-7C0D-5FBF-0000-001005430000}640800C:\Windows\system32\csrss.exe{326AC46C-82F4-5FBF-0000-001047162900}1200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000016793Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:27:00.688{326AC46C-7C94-5FBF-0000-0010CF200600}4476884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{326AC46C-82F4-5FBF-0000-001047162900}1200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000016792Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:27:00.689{326AC46C-82F4-5FBF-0000-001047162900}1200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{326AC46C-7C0E-5FBF-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{326AC46C-7C94-5FBF-0000-0010CF200600}4476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000016791Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:27:00.142{326AC46C-82F4-5FBF-0000-001089142900}66565244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{326AC46C-7C94-5FBF-0000-0010CF200600}4476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016790Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:27:00.017{326AC46C-7C94-5FBF-0000-0010AB250600}30883244C:\Windows\system32\conhost.exe{326AC46C-82F4-5FBF-0000-001089142900}6656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016789Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:27:00.017{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016788Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:27:00.017{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016787Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:27:00.017{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016786Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:27:00.017{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016785Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:27:00.017{326AC46C-7C0D-5FBF-0000-001005430000}6402148C:\Windows\system32\csrss.exe{326AC46C-82F4-5FBF-0000-001089142900}6656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000016784Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:27:00.017{326AC46C-7C94-5FBF-0000-0010CF200600}4476884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{326AC46C-82F4-5FBF-0000-001089142900}6656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000016783Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:27:00.017{326AC46C-82F4-5FBF-0000-001089142900}6656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{326AC46C-7C0E-5FBF-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{326AC46C-7C94-5FBF-0000-0010CF200600}4476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000016809Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:27:01.501{326AC46C-82F5-5FBF-0000-0010F0172900}51442328C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{326AC46C-7C94-5FBF-0000-0010CF200600}4476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016808Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:27:01.360{326AC46C-7C94-5FBF-0000-0010AB250600}30883244C:\Windows\system32\conhost.exe{326AC46C-82F5-5FBF-0000-0010F0172900}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016807Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:27:01.360{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016806Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:27:01.360{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016805Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:27:01.360{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016804Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:27:01.360{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016803Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:27:01.360{326AC46C-7C0D-5FBF-0000-001005430000}6402148C:\Windows\system32\csrss.exe{326AC46C-82F5-5FBF-0000-0010F0172900}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000016802Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:27:01.360{326AC46C-7C94-5FBF-0000-0010CF200600}4476884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{326AC46C-82F5-5FBF-0000-0010F0172900}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000016801Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:27:01.361{326AC46C-82F5-5FBF-0000-0010F0172900}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{326AC46C-7C0E-5FBF-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{326AC46C-7C94-5FBF-0000-0010CF200600}4476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000016817Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:27:03.298{326AC46C-7C94-5FBF-0000-0010AB250600}30883244C:\Windows\system32\conhost.exe{326AC46C-82F7-5FBF-0000-0010A31A2900}6964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016816Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:27:03.298{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016815Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:27:03.298{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016814Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:27:03.298{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016813Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:27:03.298{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016812Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:27:03.298{326AC46C-7C0D-5FBF-0000-001005430000}6402460C:\Windows\system32\csrss.exe{326AC46C-82F7-5FBF-0000-0010A31A2900}6964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000016811Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:27:03.298{326AC46C-7C94-5FBF-0000-0010CF200600}4476884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{326AC46C-82F7-5FBF-0000-0010A31A2900}6964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000016810Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:27:03.298{326AC46C-82F7-5FBF-0000-0010A31A2900}6964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{326AC46C-7C0E-5FBF-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{326AC46C-7C94-5FBF-0000-0010CF200600}4476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 13241300x800000000000000016818Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.localSetValue2020-11-26 10:27:13.266{326AC46C-7C11-5FBF-0000-0010F6C50000}1220C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d6c3de-0xb483546d) 10341000x800000000000000016819Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:27:35.079{326AC46C-7C0E-5FBF-0000-001031540000}860980C:\Windows\system32\lsass.exe{326AC46C-7C0C-5FBF-0000-0010EB030000}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31819|C:\Windows\system32\lsasrv.dll+2f177|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 13241300x800000000000000016843Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.localSetValue2020-11-26 10:27:37.954{326AC46C-7C0E-5FBF-0000-001031540000}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000016842Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.localSetValue2020-11-26 10:27:37.954{326AC46C-7C0E-5FBF-0000-001031540000}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x001b9cd9) 13241300x800000000000000016841Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.localSetValue2020-11-26 10:27:37.954{326AC46C-7C0E-5FBF-0000-001031540000}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d6c3d6-0x610e3273) 13241300x800000000000000016840Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.localSetValue2020-11-26 10:27:37.954{326AC46C-7C0E-5FBF-0000-001031540000}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d6c3de-0xc2d29a73) 13241300x800000000000000016839Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.localSetValue2020-11-26 10:27:37.954{326AC46C-7C0E-5FBF-0000-001031540000}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d6c3e7-0x24970273) 13241300x800000000000000016838Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.localSetValue2020-11-26 10:27:37.954{326AC46C-7C0E-5FBF-0000-001031540000}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000016837Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.localSetValue2020-11-26 10:27:37.954{326AC46C-7C0E-5FBF-0000-001031540000}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x001b9cd9) 13241300x800000000000000016836Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.localSetValue2020-11-26 10:27:37.954{326AC46C-7C0E-5FBF-0000-001031540000}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d6c3d6-0x610e3273) 13241300x800000000000000016835Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.localSetValue2020-11-26 10:27:37.954{326AC46C-7C0E-5FBF-0000-001031540000}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d6c3de-0xc2d29a73) 13241300x800000000000000016834Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.localSetValue2020-11-26 10:27:37.954{326AC46C-7C0E-5FBF-0000-001031540000}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d6c3e7-0x24970273) 13241300x800000000000000016833Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.localSetValue2020-11-26 10:27:37.344{326AC46C-7C11-5FBF-0000-0010F2C50000}1212C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 13241300x800000000000000016832Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.localSetValue2020-11-26 10:27:37.344{326AC46C-7C11-5FBF-0000-0010F2C50000}1212C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\IsServerNapAwareDWORD (0x00000000) 13241300x800000000000000016831Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.localSetValue2020-11-26 10:27:37.344{326AC46C-7C11-5FBF-0000-0010F2C50000}1212C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\AddressTypeDWORD (0x00000000) 13241300x800000000000000016830Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.localSetValue2020-11-26 10:27:37.344{326AC46C-7C11-5FBF-0000-0010F2C50000}1212C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\LeaseTerminatesTimeDWORD (0x5fbf9129) 13241300x800000000000000016829Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.localSetValue2020-11-26 10:27:37.344{326AC46C-7C11-5FBF-0000-0010F2C50000}1212C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\T2DWORD (0x5fbf8f67) 13241300x800000000000000016828Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.localSetValue2020-11-26 10:27:37.344{326AC46C-7C11-5FBF-0000-0010F2C50000}1212C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\T1DWORD (0x5fbf8a21) 13241300x800000000000000016827Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.localSetValue2020-11-26 10:27:37.344{326AC46C-7C11-5FBF-0000-0010F2C50000}1212C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\LeaseObtainedTimeDWORD (0x5fbf8319) 13241300x800000000000000016826Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.localSetValue2020-11-26 10:27:37.344{326AC46C-7C11-5FBF-0000-0010F2C50000}1212C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\LeaseDWORD (0x00000e10) 13241300x800000000000000016825Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.localSetValue2020-11-26 10:27:37.344{326AC46C-7C11-5FBF-0000-0010F2C50000}1212C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\DhcpServer10.0.1.1 13241300x800000000000000016824Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.localSetValue2020-11-26 10:27:37.344{326AC46C-7C11-5FBF-0000-0010F2C50000}1212C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\DhcpSubnetMask255.255.255.0 13241300x800000000000000016823Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.localSetValue2020-11-26 10:27:37.344{326AC46C-7C11-5FBF-0000-0010F2C50000}1212C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\DhcpIPAddress10.0.1.14 13241300x800000000000000016822Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.localSetValue2020-11-26 10:27:37.344{326AC46C-7C11-5FBF-0000-0010F2C50000}1212C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90869922-2fcf-4d43-859e-b22588a4ffef}\DhcpInterfaceOptionsBinary Data 10341000x800000000000000016821Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:27:37.282{326AC46C-7C11-5FBF-0000-001099BA0000}11487116C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-00108CCC0200}3248C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016820Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:27:37.282{326AC46C-7C11-5FBF-0000-001099BA0000}11487116C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-00108CCC0200}3248C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000016857Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.localSetValue2020-11-26 10:27:39.375{326AC46C-7C11-5FBF-0000-0010B7D00000}1328C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\RegisteredSinceBootDWORD (0x00000001) 13241300x800000000000000016856Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.localSetValue2020-11-26 10:27:39.375{326AC46C-7C11-5FBF-0000-0010B7D00000}1328C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\StaleAdapterDWORD (0x00000000) 13241300x800000000000000016855Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.localSetValue2020-11-26 10:27:39.375{326AC46C-7C11-5FBF-0000-0010B7D00000}1328C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\CompartmentIdDWORD (0x00000001) 13241300x800000000000000016854Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.localSetValue2020-11-26 10:27:39.375{326AC46C-7C11-5FBF-0000-0010B7D00000}1328C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\FlagsDWORD (0x00000002) 13241300x800000000000000016853Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.localSetValue2020-11-26 10:27:39.375{326AC46C-7C11-5FBF-0000-0010B7D00000}1328C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\TtlDWORD (0x000004b0) 13241300x800000000000000016852Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.localSetValue2020-11-26 10:27:39.375{326AC46C-7C11-5FBF-0000-0010B7D00000}1328C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\SentPriUpdateToIpBinary Data 13241300x800000000000000016851Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.localSetValue2020-11-26 10:27:39.375{326AC46C-7C11-5FBF-0000-0010B7D00000}1328C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\SentUpdateToIpBinary Data 13241300x800000000000000016850Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.localSetValue2020-11-26 10:27:39.375{326AC46C-7C11-5FBF-0000-0010B7D00000}1328C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\DnsServersBinary Data 13241300x800000000000000016849Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.localSetValue2020-11-26 10:27:39.375{326AC46C-7C11-5FBF-0000-0010B7D00000}1328C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\HostAddrsBinary Data 13241300x800000000000000016848Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.localSetValue2020-11-26 10:27:39.375{326AC46C-7C11-5FBF-0000-0010B7D00000}1328C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\PrimaryDomainNameattackrange.local 13241300x800000000000000016847Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.localSetValue2020-11-26 10:27:39.375{326AC46C-7C11-5FBF-0000-0010B7D00000}1328C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\AdapterDomainName(Empty) 13241300x800000000000000016846Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.localSetValue2020-11-26 10:27:39.375{326AC46C-7C11-5FBF-0000-0010B7D00000}1328C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\Hostnamewin-dc-655 10341000x800000000000000016845Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:27:39.375{326AC46C-7C0E-5FBF-0000-001031540000}860896C:\Windows\system32\lsass.exe{326AC46C-7C11-5FBF-0000-0010B7D00000}1328C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31375|C:\Windows\system32\lsasrv.dll+2f20b|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 13241300x800000000000000016844Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.localSetValue2020-11-26 10:27:39.375{326AC46C-7C11-5FBF-0000-0010B7D00000}1328C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{90869922-2FCF-4D43-859E-B22588A4FFEF}\RegisteredSinceBootDWORD (0x00000001) 10341000x800000000000000016865Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:27:57.750{326AC46C-7C94-5FBF-0000-0010AB250600}30883244C:\Windows\system32\conhost.exe{326AC46C-832D-5FBF-0000-00106F2D2900}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016864Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:27:57.750{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016863Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:27:57.750{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016862Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:27:57.750{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016861Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:27:57.750{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016860Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:27:57.750{326AC46C-7C0D-5FBF-0000-001005430000}6402148C:\Windows\system32\csrss.exe{326AC46C-832D-5FBF-0000-00106F2D2900}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000016859Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:27:57.750{326AC46C-7C94-5FBF-0000-0010CF200600}4476884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{326AC46C-832D-5FBF-0000-00106F2D2900}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000016858Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:27:57.751{326AC46C-832D-5FBF-0000-00106F2D2900}6692C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{326AC46C-7C0E-5FBF-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{326AC46C-7C94-5FBF-0000-0010CF200600}4476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000016874Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:27:58.594{326AC46C-832E-5FBF-0000-00101D2F2900}37407132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{326AC46C-7C94-5FBF-0000-0010CF200600}4476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016873Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:27:58.453{326AC46C-7C94-5FBF-0000-0010AB250600}30883244C:\Windows\system32\conhost.exe{326AC46C-832E-5FBF-0000-00101D2F2900}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016872Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:27:58.453{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016871Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:27:58.453{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016870Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:27:58.453{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016869Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:27:58.453{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016868Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:27:58.453{326AC46C-7C0D-5FBF-0000-001005430000}6401160C:\Windows\system32\csrss.exe{326AC46C-832E-5FBF-0000-00101D2F2900}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000016867Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:27:58.453{326AC46C-7C94-5FBF-0000-0010CF200600}4476884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{326AC46C-832E-5FBF-0000-00101D2F2900}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000016866Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:27:58.454{326AC46C-832E-5FBF-0000-00101D2F2900}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{326AC46C-7C0E-5FBF-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{326AC46C-7C94-5FBF-0000-0010CF200600}4476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000016882Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:27:59.078{326AC46C-7C94-5FBF-0000-0010AB250600}30883244C:\Windows\system32\conhost.exe{326AC46C-832F-5FBF-0000-0010C5302900}5868C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016881Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:27:59.078{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016880Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:27:59.078{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016879Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:27:59.078{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016878Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:27:59.078{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016877Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:27:59.078{326AC46C-7C0D-5FBF-0000-001005430000}6401160C:\Windows\system32\csrss.exe{326AC46C-832F-5FBF-0000-0010C5302900}5868C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000016876Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:27:59.078{326AC46C-7C94-5FBF-0000-0010CF200600}4476884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{326AC46C-832F-5FBF-0000-0010C5302900}5868C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000016875Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:27:59.080{326AC46C-832F-5FBF-0000-0010C5302900}5868C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{326AC46C-7C0E-5FBF-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{326AC46C-7C94-5FBF-0000-0010CF200600}4476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000016900Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:28:00.828{326AC46C-8330-5FBF-0000-001052342900}65365800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{326AC46C-7C94-5FBF-0000-0010CF200600}4476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016899Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:28:00.703{326AC46C-7C94-5FBF-0000-0010AB250600}30883244C:\Windows\system32\conhost.exe{326AC46C-8330-5FBF-0000-001052342900}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016898Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:28:00.703{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016897Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:28:00.703{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016896Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:28:00.703{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016895Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:28:00.703{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016894Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:28:00.703{326AC46C-7C0D-5FBF-0000-001005430000}6402148C:\Windows\system32\csrss.exe{326AC46C-8330-5FBF-0000-001052342900}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000016893Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:28:00.703{326AC46C-7C94-5FBF-0000-0010CF200600}4476884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{326AC46C-8330-5FBF-0000-001052342900}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000016892Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:28:00.704{326AC46C-8330-5FBF-0000-001052342900}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{326AC46C-7C0E-5FBF-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{326AC46C-7C94-5FBF-0000-0010CF200600}4476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000016891Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:28:00.172{326AC46C-8330-5FBF-0000-001085322900}1736936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{326AC46C-7C94-5FBF-0000-0010CF200600}4476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016890Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:28:00.031{326AC46C-7C94-5FBF-0000-0010AB250600}30883244C:\Windows\system32\conhost.exe{326AC46C-8330-5FBF-0000-001085322900}1736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016889Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:28:00.031{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016888Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:28:00.031{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016887Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:28:00.031{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016886Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:28:00.031{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016885Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:28:00.031{326AC46C-7C0D-5FBF-0000-001005430000}6402460C:\Windows\system32\csrss.exe{326AC46C-8330-5FBF-0000-001085322900}1736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000016884Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:28:00.031{326AC46C-7C94-5FBF-0000-0010CF200600}4476884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{326AC46C-8330-5FBF-0000-001085322900}1736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000016883Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:28:00.032{326AC46C-8330-5FBF-0000-001085322900}1736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{326AC46C-7C0E-5FBF-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{326AC46C-7C94-5FBF-0000-0010CF200600}4476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000016909Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:28:01.500{326AC46C-8331-5FBF-0000-00100F362900}41325064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{326AC46C-7C94-5FBF-0000-0010CF200600}4476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016908Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:28:01.360{326AC46C-7C94-5FBF-0000-0010AB250600}30883244C:\Windows\system32\conhost.exe{326AC46C-8331-5FBF-0000-00100F362900}4132C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016907Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:28:01.360{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016906Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:28:01.360{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016905Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:28:01.360{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016904Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:28:01.360{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016903Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:28:01.360{326AC46C-7C0D-5FBF-0000-001005430000}640656C:\Windows\system32\csrss.exe{326AC46C-8331-5FBF-0000-00100F362900}4132C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000016902Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:28:01.360{326AC46C-7C94-5FBF-0000-0010CF200600}4476884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{326AC46C-8331-5FBF-0000-00100F362900}4132C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000016901Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:28:01.361{326AC46C-8331-5FBF-0000-00100F362900}4132C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{326AC46C-7C0E-5FBF-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{326AC46C-7C94-5FBF-0000-0010CF200600}4476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000016917Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:28:03.313{326AC46C-7C94-5FBF-0000-0010AB250600}30883244C:\Windows\system32\conhost.exe{326AC46C-8333-5FBF-0000-0010B8382900}5384C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016916Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:28:03.313{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016915Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:28:03.313{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016914Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:28:03.313{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016913Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:28:03.313{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016912Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:28:03.313{326AC46C-7C0D-5FBF-0000-001005430000}6402148C:\Windows\system32\csrss.exe{326AC46C-8333-5FBF-0000-0010B8382900}5384C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000016911Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:28:03.313{326AC46C-7C94-5FBF-0000-0010CF200600}4476884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{326AC46C-8333-5FBF-0000-0010B8382900}5384C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000016910Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:28:03.313{326AC46C-8333-5FBF-0000-0010B8382900}5384C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{326AC46C-7C0E-5FBF-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{326AC46C-7C94-5FBF-0000-0010CF200600}4476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 13241300x800000000000000016920Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.localSetValue2020-11-26 10:28:09.344{326AC46C-7C21-5FBF-0000-00108CCC0200}3248C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\9D191D6C-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_9D191D6C-0000-0000-0000-100000000000.XML 13241300x800000000000000016919Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.localSetValue2020-11-26 10:28:09.344{326AC46C-7C21-5FBF-0000-00108CCC0200}3248C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\3352377B-691B-45DF-91CF-0BC5B38904DA\Config SourceDWORD (0x00000001) 13241300x800000000000000016918Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.localSetValue2020-11-26 10:28:09.344{326AC46C-7C21-5FBF-0000-00108CCC0200}3248C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\3352377B-691B-45DF-91CF-0BC5B38904DA\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_3352377B-691B-45DF-91CF-0BC5B38904DA.XML 13241300x800000000000000016921Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.localSetValue2020-11-26 10:28:14.078{326AC46C-7C11-5FBF-0000-0010F6C50000}1220C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d6c3de-0xd8c2767b) 10341000x800000000000000016929Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:28:57.749{326AC46C-7C94-5FBF-0000-0010AB250600}30883244C:\Windows\system32\conhost.exe{326AC46C-8369-5FBF-0000-0010EA462900}4668C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016928Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:28:57.749{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016927Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:28:57.749{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016926Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:28:57.749{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016925Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:28:57.749{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016924Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:28:57.749{326AC46C-7C0D-5FBF-0000-001005430000}640656C:\Windows\system32\csrss.exe{326AC46C-8369-5FBF-0000-0010EA462900}4668C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000016923Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:28:57.749{326AC46C-7C94-5FBF-0000-0010CF200600}4476884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{326AC46C-8369-5FBF-0000-0010EA462900}4668C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000016922Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:28:57.750{326AC46C-8369-5FBF-0000-0010EA462900}4668C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{326AC46C-7C0E-5FBF-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{326AC46C-7C94-5FBF-0000-0010CF200600}4476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000016938Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:28:58.593{326AC46C-836A-5FBF-0000-00108E482900}47885564C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{326AC46C-7C94-5FBF-0000-0010CF200600}4476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016937Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:28:58.468{326AC46C-7C94-5FBF-0000-0010AB250600}30883244C:\Windows\system32\conhost.exe{326AC46C-836A-5FBF-0000-00108E482900}4788C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016936Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:28:58.468{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016935Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:28:58.468{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016934Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:28:58.468{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016933Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:28:58.468{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016932Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:28:58.468{326AC46C-7C0D-5FBF-0000-001005430000}640800C:\Windows\system32\csrss.exe{326AC46C-836A-5FBF-0000-00108E482900}4788C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000016931Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:28:58.468{326AC46C-7C94-5FBF-0000-0010CF200600}4476884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{326AC46C-836A-5FBF-0000-00108E482900}4788C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000016930Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:28:58.469{326AC46C-836A-5FBF-0000-00108E482900}4788C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{326AC46C-7C0E-5FBF-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{326AC46C-7C94-5FBF-0000-0010CF200600}4476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000016946Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:28:59.140{326AC46C-7C94-5FBF-0000-0010AB250600}30883244C:\Windows\system32\conhost.exe{326AC46C-836B-5FBF-0000-0010364A2900}3372C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016945Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:28:59.140{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016944Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:28:59.140{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016943Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:28:59.140{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016942Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:28:59.140{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016941Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:28:59.140{326AC46C-7C0D-5FBF-0000-001005430000}640656C:\Windows\system32\csrss.exe{326AC46C-836B-5FBF-0000-0010364A2900}3372C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000016940Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:28:59.140{326AC46C-7C94-5FBF-0000-0010CF200600}4476884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{326AC46C-836B-5FBF-0000-0010364A2900}3372C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000016939Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:28:59.141{326AC46C-836B-5FBF-0000-0010364A2900}3372C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{326AC46C-7C0E-5FBF-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{326AC46C-7C94-5FBF-0000-0010CF200600}4476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000016964Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:29:00.687{326AC46C-836C-5FBF-0000-0010BD4D2900}70326704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{326AC46C-7C94-5FBF-0000-0010CF200600}4476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016963Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:29:00.546{326AC46C-7C94-5FBF-0000-0010AB250600}30883244C:\Windows\system32\conhost.exe{326AC46C-836C-5FBF-0000-0010BD4D2900}7032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016962Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:29:00.546{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016961Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:29:00.546{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016960Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:29:00.546{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016959Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:29:00.546{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016958Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:29:00.546{326AC46C-7C0D-5FBF-0000-001005430000}6402460C:\Windows\system32\csrss.exe{326AC46C-836C-5FBF-0000-0010BD4D2900}7032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000016957Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:29:00.546{326AC46C-7C94-5FBF-0000-0010CF200600}4476884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{326AC46C-836C-5FBF-0000-0010BD4D2900}7032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000016956Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:29:00.547{326AC46C-836C-5FBF-0000-0010BD4D2900}7032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{326AC46C-7C0E-5FBF-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{326AC46C-7C94-5FBF-0000-0010CF200600}4476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000016955Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:29:00.156{326AC46C-836C-5FBF-0000-0010024C2900}69761876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{326AC46C-7C94-5FBF-0000-0010CF200600}4476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016954Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:29:00.031{326AC46C-7C94-5FBF-0000-0010AB250600}30883244C:\Windows\system32\conhost.exe{326AC46C-836C-5FBF-0000-0010024C2900}6976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016953Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:29:00.031{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016952Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:29:00.031{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016951Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:29:00.031{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016950Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:29:00.031{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016949Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:29:00.031{326AC46C-7C0D-5FBF-0000-001005430000}6402460C:\Windows\system32\csrss.exe{326AC46C-836C-5FBF-0000-0010024C2900}6976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000016948Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:29:00.031{326AC46C-7C94-5FBF-0000-0010CF200600}4476884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{326AC46C-836C-5FBF-0000-0010024C2900}6976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000016947Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:29:00.031{326AC46C-836C-5FBF-0000-0010024C2900}6976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{326AC46C-7C0E-5FBF-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{326AC46C-7C94-5FBF-0000-0010CF200600}4476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000016973Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:29:01.359{326AC46C-836D-5FBF-0000-00104F4F2900}42327164C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{326AC46C-7C94-5FBF-0000-0010CF200600}4476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016972Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:29:01.218{326AC46C-7C94-5FBF-0000-0010AB250600}30883244C:\Windows\system32\conhost.exe{326AC46C-836D-5FBF-0000-00104F4F2900}4232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016971Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:29:01.218{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016970Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:29:01.218{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016969Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:29:01.218{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016968Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:29:01.218{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016967Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:29:01.218{326AC46C-7C0D-5FBF-0000-001005430000}640656C:\Windows\system32\csrss.exe{326AC46C-836D-5FBF-0000-00104F4F2900}4232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000016966Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:29:01.218{326AC46C-7C94-5FBF-0000-0010CF200600}4476884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{326AC46C-836D-5FBF-0000-00104F4F2900}4232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000016965Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:29:01.219{326AC46C-836D-5FBF-0000-00104F4F2900}4232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{326AC46C-7C0E-5FBF-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{326AC46C-7C94-5FBF-0000-0010CF200600}4476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000016981Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:29:03.312{326AC46C-7C94-5FBF-0000-0010AB250600}30883244C:\Windows\system32\conhost.exe{326AC46C-836F-5FBF-0000-0010FA512900}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016980Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:29:03.312{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016979Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:29:03.312{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016978Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:29:03.312{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016977Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:29:03.312{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016976Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:29:03.312{326AC46C-7C0D-5FBF-0000-001005430000}640656C:\Windows\system32\csrss.exe{326AC46C-836F-5FBF-0000-0010FA512900}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000016975Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:29:03.312{326AC46C-7C94-5FBF-0000-0010CF200600}4476884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{326AC46C-836F-5FBF-0000-0010FA512900}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000016974Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:29:03.312{326AC46C-836F-5FBF-0000-0010FA512900}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{326AC46C-7C0E-5FBF-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{326AC46C-7C94-5FBF-0000-0010CF200600}4476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000016986Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:29:12.937{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C11-5FBF-0000-001004EE0000}1548C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016985Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:29:12.937{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C11-5FBF-0000-001004EE0000}1548C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016984Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:29:12.937{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C11-5FBF-0000-001004EE0000}1548C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016983Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:29:12.765{326AC46C-7C0E-5FBF-0000-001031540000}860896C:\Windows\system32\lsass.exe{326AC46C-7C0C-5FBF-0000-0010EB030000}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31819|C:\Windows\system32\lsasrv.dll+2f177|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 13241300x800000000000000016982Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.localT1101SetValue2020-11-26 10:29:12.655{326AC46C-7C0E-5FBF-0000-001031540000}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Control\Lsa\CachedMachineNames\NameUserPrincipalWIN-DC-655$@attackrange.local 10341000x800000000000000017015Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:29:29.333{326AC46C-7C10-5FBF-0000-001009AA0000}616576C:\Windows\system32\svchost.exe{326AC46C-7EDD-5FBF-0000-001031601100}5200C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017014Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:29:29.333{326AC46C-7C10-5FBF-0000-001009AA0000}616576C:\Windows\system32\svchost.exe{326AC46C-7EDD-5FBF-0000-001031601100}5200C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017013Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:29:29.333{326AC46C-7C10-5FBF-0000-001009AA0000}616576C:\Windows\system32\svchost.exe{326AC46C-7EDD-5FBF-0000-001031601100}5200C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017012Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:29:29.333{326AC46C-7C10-5FBF-0000-001009AA0000}616576C:\Windows\system32\svchost.exe{326AC46C-7EDD-5FBF-0000-001031601100}5200C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017011Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:29:29.333{326AC46C-7C10-5FBF-0000-001009AA0000}616576C:\Windows\system32\svchost.exe{326AC46C-7EDD-5FBF-0000-001031601100}5200C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017010Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:29:29.333{326AC46C-7C10-5FBF-0000-001009AA0000}616576C:\Windows\system32\svchost.exe{326AC46C-7EDD-5FBF-0000-001031601100}5200C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017009Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:29:29.333{326AC46C-7C10-5FBF-0000-001009AA0000}616576C:\Windows\system32\svchost.exe{326AC46C-7EDD-5FBF-0000-001031601100}5200C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017008Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:29:29.333{326AC46C-7C10-5FBF-0000-001009AA0000}616576C:\Windows\system32\svchost.exe{326AC46C-7EC8-5FBF-0000-001074D40D00}3504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017007Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:29:29.333{326AC46C-7C10-5FBF-0000-001009AA0000}616576C:\Windows\system32\svchost.exe{326AC46C-7EC8-5FBF-0000-001074D40D00}3504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017006Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:29:29.333{326AC46C-7C10-5FBF-0000-001009AA0000}616576C:\Windows\system32\svchost.exe{326AC46C-7EC8-5FBF-0000-001074D40D00}3504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017005Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:29:29.333{326AC46C-7C10-5FBF-0000-001009AA0000}616576C:\Windows\system32\svchost.exe{326AC46C-7EC8-5FBF-0000-001074D40D00}3504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017004Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:29:29.333{326AC46C-7C10-5FBF-0000-001009AA0000}616576C:\Windows\system32\svchost.exe{326AC46C-7EC8-5FBF-0000-001074D40D00}3504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017003Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:29:29.333{326AC46C-7C10-5FBF-0000-001009AA0000}616576C:\Windows\system32\svchost.exe{326AC46C-7EC8-5FBF-0000-001074D40D00}3504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017002Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:29:29.333{326AC46C-7C10-5FBF-0000-001009AA0000}616576C:\Windows\system32\svchost.exe{326AC46C-7EC8-5FBF-0000-001074D40D00}3504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017001Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:29:29.333{326AC46C-7C10-5FBF-0000-001009AA0000}616576C:\Windows\system32\svchost.exe{326AC46C-7EC8-5FBF-0000-001074D40D00}3504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017000Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:29:29.333{326AC46C-7C10-5FBF-0000-001009AA0000}616576C:\Windows\system32\svchost.exe{326AC46C-7EC8-5FBF-0000-001074D40D00}3504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016999Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:29:29.333{326AC46C-7C10-5FBF-0000-001009AA0000}616576C:\Windows\system32\svchost.exe{326AC46C-7EC8-5FBF-0000-001074D40D00}3504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016998Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:29:29.333{326AC46C-7C10-5FBF-0000-001009AA0000}616576C:\Windows\system32\svchost.exe{326AC46C-7EC8-5FBF-0000-001074D40D00}3504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016997Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:29:29.333{326AC46C-7C10-5FBF-0000-001009AA0000}616576C:\Windows\system32\svchost.exe{326AC46C-7EC8-5FBF-0000-001074D40D00}3504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016996Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:29:29.333{326AC46C-7C10-5FBF-0000-001009AA0000}616576C:\Windows\system32\svchost.exe{326AC46C-7EC8-5FBF-0000-001074D40D00}3504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016995Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:29:29.333{326AC46C-7C10-5FBF-0000-001009AA0000}616576C:\Windows\system32\svchost.exe{326AC46C-7EC8-5FBF-0000-001074D40D00}3504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016994Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:29:29.333{326AC46C-7C10-5FBF-0000-001009AA0000}616576C:\Windows\system32\svchost.exe{326AC46C-7EDD-5FBF-0000-001020381100}3460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016993Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:29:29.333{326AC46C-7C10-5FBF-0000-001009AA0000}616576C:\Windows\system32\svchost.exe{326AC46C-7EDD-5FBF-0000-001020381100}3460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016992Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:29:29.333{326AC46C-7C10-5FBF-0000-001009AA0000}616576C:\Windows\system32\svchost.exe{326AC46C-7EDD-5FBF-0000-001020381100}3460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016991Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:29:29.333{326AC46C-7C10-5FBF-0000-001009AA0000}616576C:\Windows\system32\svchost.exe{326AC46C-7EDD-5FBF-0000-001020381100}3460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016990Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:29:29.333{326AC46C-7C10-5FBF-0000-001009AA0000}616576C:\Windows\system32\svchost.exe{326AC46C-7EDD-5FBF-0000-001020381100}3460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016989Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:29:29.333{326AC46C-7C10-5FBF-0000-001009AA0000}616576C:\Windows\system32\svchost.exe{326AC46C-7EDD-5FBF-0000-001020381100}3460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016988Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:29:29.333{326AC46C-7C10-5FBF-0000-001009AA0000}616576C:\Windows\system32\svchost.exe{326AC46C-7EDD-5FBF-0000-001020381100}3460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016987Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:29:29.333{326AC46C-7C10-5FBF-0000-001009AA0000}616576C:\Windows\system32\svchost.exe{326AC46C-7EDD-5FBF-0000-001020381100}3460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017023Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:29:57.770{326AC46C-7C94-5FBF-0000-0010AB250600}30883244C:\Windows\system32\conhost.exe{326AC46C-83A5-5FBF-0000-0010AC652900}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017022Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:29:57.770{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017021Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:29:57.770{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017020Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:29:57.770{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017019Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:29:57.770{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017018Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:29:57.770{326AC46C-7C0D-5FBF-0000-001005430000}640656C:\Windows\system32\csrss.exe{326AC46C-83A5-5FBF-0000-0010AC652900}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017017Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:29:57.770{326AC46C-7C94-5FBF-0000-0010CF200600}4476884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{326AC46C-83A5-5FBF-0000-0010AC652900}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017016Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:29:57.770{326AC46C-83A5-5FBF-0000-0010AC652900}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{326AC46C-7C0E-5FBF-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{326AC46C-7C94-5FBF-0000-0010CF200600}4476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000017032Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:29:58.613{326AC46C-83A6-5FBF-0000-001037672900}13523484C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{326AC46C-7C94-5FBF-0000-0010CF200600}4476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017031Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:29:58.488{326AC46C-7C94-5FBF-0000-0010AB250600}30883244C:\Windows\system32\conhost.exe{326AC46C-83A6-5FBF-0000-001037672900}1352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017030Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:29:58.488{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017029Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:29:58.488{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017028Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:29:58.488{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017027Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:29:58.488{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017026Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:29:58.488{326AC46C-7C0D-5FBF-0000-001005430000}6402460C:\Windows\system32\csrss.exe{326AC46C-83A6-5FBF-0000-001037672900}1352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017025Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:29:58.488{326AC46C-7C94-5FBF-0000-0010CF200600}4476884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{326AC46C-83A6-5FBF-0000-001037672900}1352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017024Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:29:58.489{326AC46C-83A6-5FBF-0000-001037672900}1352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{326AC46C-7C0E-5FBF-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{326AC46C-7C94-5FBF-0000-0010CF200600}4476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000017040Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:29:59.160{326AC46C-7C94-5FBF-0000-0010AB250600}30883244C:\Windows\system32\conhost.exe{326AC46C-83A7-5FBF-0000-001001692900}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017039Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:29:59.160{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017038Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:29:59.160{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017037Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:29:59.160{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017036Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:29:59.160{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017035Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:29:59.160{326AC46C-7C0D-5FBF-0000-001005430000}6402460C:\Windows\system32\csrss.exe{326AC46C-83A7-5FBF-0000-001001692900}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017034Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:29:59.160{326AC46C-7C94-5FBF-0000-0010CF200600}4476884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{326AC46C-83A7-5FBF-0000-001001692900}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017033Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:29:59.161{326AC46C-83A7-5FBF-0000-001001692900}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{326AC46C-7C0E-5FBF-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{326AC46C-7C94-5FBF-0000-0010CF200600}4476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000017058Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:30:00.754{326AC46C-83A8-5FBF-0000-0010816C2900}56361072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{326AC46C-7C94-5FBF-0000-0010CF200600}4476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017057Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:30:00.629{326AC46C-7C94-5FBF-0000-0010AB250600}30883244C:\Windows\system32\conhost.exe{326AC46C-83A8-5FBF-0000-0010816C2900}5636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017056Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:30:00.629{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017055Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:30:00.629{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017054Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:30:00.629{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017053Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:30:00.629{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017052Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:30:00.629{326AC46C-7C0D-5FBF-0000-001005430000}640800C:\Windows\system32\csrss.exe{326AC46C-83A8-5FBF-0000-0010816C2900}5636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017051Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:30:00.629{326AC46C-7C94-5FBF-0000-0010CF200600}4476884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{326AC46C-83A8-5FBF-0000-0010816C2900}5636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017050Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:30:00.631{326AC46C-83A8-5FBF-0000-0010816C2900}5636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{326AC46C-7C0E-5FBF-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{326AC46C-7C94-5FBF-0000-0010CF200600}4476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000017049Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:30:00.176{326AC46C-83A8-5FBF-0000-0010C66A2900}71241128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{326AC46C-7C94-5FBF-0000-0010CF200600}4476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017048Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:30:00.051{326AC46C-7C94-5FBF-0000-0010AB250600}30883244C:\Windows\system32\conhost.exe{326AC46C-83A8-5FBF-0000-0010C66A2900}7124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017047Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:30:00.051{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017046Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:30:00.051{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017045Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:30:00.051{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017044Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:30:00.051{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017043Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:30:00.051{326AC46C-7C0D-5FBF-0000-001005430000}640800C:\Windows\system32\csrss.exe{326AC46C-83A8-5FBF-0000-0010C66A2900}7124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017042Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:30:00.051{326AC46C-7C94-5FBF-0000-0010CF200600}4476884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{326AC46C-83A8-5FBF-0000-0010C66A2900}7124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017041Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:30:00.051{326AC46C-83A8-5FBF-0000-0010C66A2900}7124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{326AC46C-7C0E-5FBF-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{326AC46C-7C94-5FBF-0000-0010CF200600}4476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000017067Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:30:01.441{326AC46C-83A9-5FBF-0000-0010136E2900}61361112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{326AC46C-7C94-5FBF-0000-0010CF200600}4476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017066Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:30:01.301{326AC46C-7C94-5FBF-0000-0010AB250600}30883244C:\Windows\system32\conhost.exe{326AC46C-83A9-5FBF-0000-0010136E2900}6136C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017065Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:30:01.301{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017064Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:30:01.301{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017063Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:30:01.301{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017062Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:30:01.301{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017061Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:30:01.301{326AC46C-7C0D-5FBF-0000-001005430000}6402148C:\Windows\system32\csrss.exe{326AC46C-83A9-5FBF-0000-0010136E2900}6136C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017060Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:30:01.301{326AC46C-7C94-5FBF-0000-0010CF200600}4476884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{326AC46C-83A9-5FBF-0000-0010136E2900}6136C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017059Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:30:01.301{326AC46C-83A9-5FBF-0000-0010136E2900}6136C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{326AC46C-7C0E-5FBF-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{326AC46C-7C94-5FBF-0000-0010CF200600}4476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000017075Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:30:03.348{326AC46C-7C94-5FBF-0000-0010AB250600}30883244C:\Windows\system32\conhost.exe{326AC46C-83AB-5FBF-0000-0010BC702900}1756C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017074Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:30:03.348{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017073Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:30:03.348{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017072Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:30:03.348{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017071Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:30:03.348{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017070Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:30:03.348{326AC46C-7C0D-5FBF-0000-001005430000}640656C:\Windows\system32\csrss.exe{326AC46C-83AB-5FBF-0000-0010BC702900}1756C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017069Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:30:03.348{326AC46C-7C94-5FBF-0000-0010CF200600}4476884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{326AC46C-83AB-5FBF-0000-0010BC702900}1756C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017068Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:30:03.348{326AC46C-83AB-5FBF-0000-0010BC702900}1756C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{326AC46C-7C0E-5FBF-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{326AC46C-7C94-5FBF-0000-0010CF200600}4476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000017083Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:30:57.784{326AC46C-7C94-5FBF-0000-0010AB250600}30883244C:\Windows\system32\conhost.exe{326AC46C-83E1-5FBF-0000-0010988E2900}1736C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017082Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:30:57.784{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017081Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:30:57.784{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017080Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:30:57.784{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017079Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:30:57.784{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017078Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:30:57.784{326AC46C-7C0D-5FBF-0000-001005430000}6402148C:\Windows\system32\csrss.exe{326AC46C-83E1-5FBF-0000-0010988E2900}1736C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017077Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:30:57.784{326AC46C-7C94-5FBF-0000-0010CF200600}4476884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{326AC46C-83E1-5FBF-0000-0010988E2900}1736C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017076Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:30:57.785{326AC46C-83E1-5FBF-0000-0010988E2900}1736C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{326AC46C-7C0E-5FBF-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{326AC46C-7C94-5FBF-0000-0010CF200600}4476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000017091Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:30:58.487{326AC46C-7C94-5FBF-0000-0010AB250600}30883244C:\Windows\system32\conhost.exe{326AC46C-83E2-5FBF-0000-001048902900}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017090Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:30:58.487{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017089Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:30:58.487{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017088Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:30:58.487{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017087Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:30:58.487{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017086Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:30:58.487{326AC46C-7C0D-5FBF-0000-001005430000}6401160C:\Windows\system32\csrss.exe{326AC46C-83E2-5FBF-0000-001048902900}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017085Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:30:58.487{326AC46C-7C94-5FBF-0000-0010CF200600}4476884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{326AC46C-83E2-5FBF-0000-001048902900}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017084Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:30:58.488{326AC46C-83E2-5FBF-0000-001048902900}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{326AC46C-7C0E-5FBF-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{326AC46C-7C94-5FBF-0000-0010CF200600}4476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000017100Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:30:59.143{326AC46C-83E3-5FBF-0000-001021922900}61965832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{326AC46C-7C94-5FBF-0000-0010CF200600}4476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017099Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:30:59.018{326AC46C-7C94-5FBF-0000-0010AB250600}30883244C:\Windows\system32\conhost.exe{326AC46C-83E3-5FBF-0000-001021922900}6196C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017098Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:30:59.018{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017097Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:30:59.018{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017096Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:30:59.018{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017095Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:30:59.018{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017094Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:30:59.018{326AC46C-7C0D-5FBF-0000-001005430000}640656C:\Windows\system32\csrss.exe{326AC46C-83E3-5FBF-0000-001021922900}6196C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017093Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:30:59.018{326AC46C-7C94-5FBF-0000-0010CF200600}4476884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{326AC46C-83E3-5FBF-0000-001021922900}6196C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017092Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:30:59.020{326AC46C-83E3-5FBF-0000-001021922900}6196C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{326AC46C-7C0E-5FBF-0000-0020E7030000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{326AC46C-7C94-5FBF-0000-0010CF200600}4476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000017118Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:31:00.800{326AC46C-83E4-5FBF-0000-00107B952900}60083364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{326AC46C-7C94-5FBF-0000-0010CF200600}4476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017117Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:31:00.675{326AC46C-7C94-5FBF-0000-0010AB250600}30883244C:\Windows\system32\conhost.exe{326AC46C-83E4-5FBF-0000-00107B952900}6008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017116Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:31:00.675{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017115Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:31:00.675{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017114Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:31:00.675{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017113Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:31:00.675{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017112Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:31:00.675{326AC46C-7C0D-5FBF-0000-001005430000}640800C:\Windows\system32\csrss.exe{326AC46C-83E4-5FBF-0000-00107B952900}6008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017111Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:31:00.675{326AC46C-7C94-5FBF-0000-0010CF200600}4476884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{326AC46C-83E4-5FBF-0000-00107B952900}6008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017110Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:31:00.676{326AC46C-83E4-5FBF-0000-00107B952900}6008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{326AC46C-7C0E-5FBF-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{326AC46C-7C94-5FBF-0000-0010CF200600}4476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000017109Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:31:00.190{326AC46C-83E4-5FBF-0000-0010D6932900}6632920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{326AC46C-7C94-5FBF-0000-0010CF200600}4476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017108Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:31:00.065{326AC46C-7C94-5FBF-0000-0010AB250600}30883244C:\Windows\system32\conhost.exe{326AC46C-83E4-5FBF-0000-0010D6932900}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017107Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:31:00.065{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017106Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:31:00.065{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017105Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:31:00.065{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017104Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:31:00.065{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017103Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:31:00.065{326AC46C-7C0D-5FBF-0000-001005430000}640800C:\Windows\system32\csrss.exe{326AC46C-83E4-5FBF-0000-0010D6932900}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017102Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:31:00.065{326AC46C-7C94-5FBF-0000-0010CF200600}4476884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{326AC46C-83E4-5FBF-0000-0010D6932900}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017101Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:31:00.066{326AC46C-83E4-5FBF-0000-0010D6932900}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe?????"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{326AC46C-7C0E-5FBF-0000-0020E7030000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{326AC46C-7C94-5FBF-0000-0010CF200600}4476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000017127Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:31:01.440{326AC46C-83E5-5FBF-0000-00103A972900}50006176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{326AC46C-7C94-5FBF-0000-0010CF200600}4476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017126Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:31:01.300{326AC46C-7C94-5FBF-0000-0010AB250600}30883244C:\Windows\system32\conhost.exe{326AC46C-83E5-5FBF-0000-00103A972900}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017125Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:31:01.300{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017124Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:31:01.300{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017123Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:31:01.300{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017122Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:31:01.300{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017121Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:31:01.300{326AC46C-7C0D-5FBF-0000-001005430000}640800C:\Windows\system32\csrss.exe{326AC46C-83E5-5FBF-0000-00103A972900}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017120Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:31:01.300{326AC46C-7C94-5FBF-0000-0010CF200600}4476884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{326AC46C-83E5-5FBF-0000-00103A972900}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017119Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:31:01.301{326AC46C-83E5-5FBF-0000-00103A972900}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{326AC46C-7C0E-5FBF-0000-0020E7030000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{326AC46C-7C94-5FBF-0000-0010CF200600}4476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000017135Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:31:03.362{326AC46C-7C94-5FBF-0000-0010AB250600}30883244C:\Windows\system32\conhost.exe{326AC46C-83E7-5FBF-0000-0010E6992900}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017134Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:31:03.362{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017133Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:31:03.362{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017132Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:31:03.362{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017131Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:31:03.362{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017130Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:31:03.362{326AC46C-7C0D-5FBF-0000-001005430000}6402148C:\Windows\system32\csrss.exe{326AC46C-83E7-5FBF-0000-0010E6992900}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017129Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:31:03.362{326AC46C-7C94-5FBF-0000-0010CF200600}4476884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{326AC46C-83E7-5FBF-0000-0010E6992900}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017128Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:31:03.363{326AC46C-83E7-5FBF-0000-0010E6992900}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{326AC46C-7C0E-5FBF-0000-0020E7030000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{326AC46C-7C94-5FBF-0000-0010CF200600}4476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000017136Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:31:21.643{326AC46C-7C10-5FBF-0000-001009AA0000}6166996C:\Windows\system32\svchost.exe{326AC46C-7EC7-5FBF-0000-00103B650D00}2972C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017165Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:31:30.346{326AC46C-7C10-5FBF-0000-001009AA0000}616576C:\Windows\system32\svchost.exe{326AC46C-7EDD-5FBF-0000-001031601100}5200C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017164Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:31:30.346{326AC46C-7C10-5FBF-0000-001009AA0000}616576C:\Windows\system32\svchost.exe{326AC46C-7EDD-5FBF-0000-001031601100}5200C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017163Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:31:30.346{326AC46C-7C10-5FBF-0000-001009AA0000}616576C:\Windows\system32\svchost.exe{326AC46C-7EDD-5FBF-0000-001031601100}5200C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017162Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:31:30.346{326AC46C-7C10-5FBF-0000-001009AA0000}616576C:\Windows\system32\svchost.exe{326AC46C-7EDD-5FBF-0000-001031601100}5200C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017161Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:31:30.346{326AC46C-7C10-5FBF-0000-001009AA0000}616576C:\Windows\system32\svchost.exe{326AC46C-7EDD-5FBF-0000-001031601100}5200C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017160Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:31:30.346{326AC46C-7C10-5FBF-0000-001009AA0000}616576C:\Windows\system32\svchost.exe{326AC46C-7EDD-5FBF-0000-001031601100}5200C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017159Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:31:30.346{326AC46C-7C10-5FBF-0000-001009AA0000}616576C:\Windows\system32\svchost.exe{326AC46C-7EDD-5FBF-0000-001031601100}5200C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017158Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:31:30.346{326AC46C-7C10-5FBF-0000-001009AA0000}616576C:\Windows\system32\svchost.exe{326AC46C-7EC8-5FBF-0000-001074D40D00}3504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017157Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:31:30.346{326AC46C-7C10-5FBF-0000-001009AA0000}616576C:\Windows\system32\svchost.exe{326AC46C-7EC8-5FBF-0000-001074D40D00}3504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017156Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:31:30.346{326AC46C-7C10-5FBF-0000-001009AA0000}616576C:\Windows\system32\svchost.exe{326AC46C-7EC8-5FBF-0000-001074D40D00}3504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017155Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:31:30.346{326AC46C-7C10-5FBF-0000-001009AA0000}616576C:\Windows\system32\svchost.exe{326AC46C-7EC8-5FBF-0000-001074D40D00}3504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017154Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:31:30.346{326AC46C-7C10-5FBF-0000-001009AA0000}616576C:\Windows\system32\svchost.exe{326AC46C-7EC8-5FBF-0000-001074D40D00}3504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017153Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:31:30.346{326AC46C-7C10-5FBF-0000-001009AA0000}616576C:\Windows\system32\svchost.exe{326AC46C-7EC8-5FBF-0000-001074D40D00}3504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017152Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:31:30.346{326AC46C-7C10-5FBF-0000-001009AA0000}616576C:\Windows\system32\svchost.exe{326AC46C-7EC8-5FBF-0000-001074D40D00}3504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017151Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:31:30.346{326AC46C-7C10-5FBF-0000-001009AA0000}616576C:\Windows\system32\svchost.exe{326AC46C-7EC8-5FBF-0000-001074D40D00}3504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017150Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:31:30.346{326AC46C-7C10-5FBF-0000-001009AA0000}616576C:\Windows\system32\svchost.exe{326AC46C-7EC8-5FBF-0000-001074D40D00}3504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017149Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:31:30.346{326AC46C-7C10-5FBF-0000-001009AA0000}616576C:\Windows\system32\svchost.exe{326AC46C-7EC8-5FBF-0000-001074D40D00}3504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017148Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:31:30.346{326AC46C-7C10-5FBF-0000-001009AA0000}616576C:\Windows\system32\svchost.exe{326AC46C-7EC8-5FBF-0000-001074D40D00}3504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017147Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:31:30.346{326AC46C-7C10-5FBF-0000-001009AA0000}616576C:\Windows\system32\svchost.exe{326AC46C-7EC8-5FBF-0000-001074D40D00}3504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017146Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:31:30.346{326AC46C-7C10-5FBF-0000-001009AA0000}616576C:\Windows\system32\svchost.exe{326AC46C-7EC8-5FBF-0000-001074D40D00}3504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017145Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:31:30.346{326AC46C-7C10-5FBF-0000-001009AA0000}616576C:\Windows\system32\svchost.exe{326AC46C-7EC8-5FBF-0000-001074D40D00}3504C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017144Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:31:30.346{326AC46C-7C10-5FBF-0000-001009AA0000}616576C:\Windows\system32\svchost.exe{326AC46C-7EDD-5FBF-0000-001020381100}3460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017143Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:31:30.346{326AC46C-7C10-5FBF-0000-001009AA0000}616576C:\Windows\system32\svchost.exe{326AC46C-7EDD-5FBF-0000-001020381100}3460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017142Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:31:30.346{326AC46C-7C10-5FBF-0000-001009AA0000}616576C:\Windows\system32\svchost.exe{326AC46C-7EDD-5FBF-0000-001020381100}3460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017141Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:31:30.346{326AC46C-7C10-5FBF-0000-001009AA0000}616576C:\Windows\system32\svchost.exe{326AC46C-7EDD-5FBF-0000-001020381100}3460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017140Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:31:30.346{326AC46C-7C10-5FBF-0000-001009AA0000}616576C:\Windows\system32\svchost.exe{326AC46C-7EDD-5FBF-0000-001020381100}3460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017139Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:31:30.346{326AC46C-7C10-5FBF-0000-001009AA0000}616576C:\Windows\system32\svchost.exe{326AC46C-7EDD-5FBF-0000-001020381100}3460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017138Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:31:30.346{326AC46C-7C10-5FBF-0000-001009AA0000}616576C:\Windows\system32\svchost.exe{326AC46C-7EDD-5FBF-0000-001020381100}3460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017137Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:31:30.346{326AC46C-7C10-5FBF-0000-001009AA0000}616576C:\Windows\system32\svchost.exe{326AC46C-7EDD-5FBF-0000-001020381100}3460C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42269|c:\windows\system32\rpcss.dll+423a2|c:\windows\system32\rpcss.dll+426df|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017173Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:31:57.798{326AC46C-7C94-5FBF-0000-0010AB250600}30883244C:\Windows\system32\conhost.exe{326AC46C-841D-5FBF-0000-001099A62900}6920C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017172Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:31:57.798{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017171Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:31:57.798{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017170Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:31:57.798{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017169Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:31:57.798{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017168Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:31:57.798{326AC46C-7C0D-5FBF-0000-001005430000}6401160C:\Windows\system32\csrss.exe{326AC46C-841D-5FBF-0000-001099A62900}6920C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017167Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:31:57.798{326AC46C-7C94-5FBF-0000-0010CF200600}4476884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{326AC46C-841D-5FBF-0000-001099A62900}6920C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017166Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:31:57.799{326AC46C-841D-5FBF-0000-001099A62900}6920C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{326AC46C-7C0E-5FBF-0000-0020E7030000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{326AC46C-7C94-5FBF-0000-0010CF200600}4476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000017181Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:31:58.501{326AC46C-7C94-5FBF-0000-0010AB250600}30883244C:\Windows\system32\conhost.exe{326AC46C-841E-5FBF-0000-00104DA82900}5828C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017180Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:31:58.501{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017179Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:31:58.501{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017178Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:31:58.501{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017177Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:31:58.501{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017176Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:31:58.501{326AC46C-7C0D-5FBF-0000-001005430000}6402148C:\Windows\system32\csrss.exe{326AC46C-841E-5FBF-0000-00104DA82900}5828C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017175Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:31:58.501{326AC46C-7C94-5FBF-0000-0010CF200600}4476884C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{326AC46C-841E-5FBF-0000-00104DA82900}5828C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017174Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:31:58.502{326AC46C-841E-5FBF-0000-00104DA82900}5828C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{326AC46C-7C0E-5FBF-0000-0020E7030000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{326AC46C-7C94-5FBF-0000-0010CF200600}4476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000017190Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:31:59.298{326AC46C-841F-5FBF-0000-001006AA2900}64765904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{326AC46C-7C94-5FBF-0000-0010CF200600}4476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017189Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:31:59.173{326AC46C-7C94-5FBF-0000-0010AB250600}30883244C:\Windows\system32\conhost.exe{326AC46C-841F-5FBF-0000-001006AA2900}6476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017188Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:31:59.173{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017187Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:31:59.173{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017186Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:31:59.173{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017185Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:31:59.173{326AC46C-7C10-5FBF-0000-0010F8650000}5921028C:\Windows\system32\svchost.exe{326AC46C-7C21-5FBF-0000-0010DACB0200}3188C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017184Microsoft-Windows-Sysmon/Operationalwin-dc-655.attackrange.local2020-11-26 10:31:59.173{326AC46C-7C0D-5FBF-0000-0010054